Using the Redirector :: Encryption

Using Encryption

Encryption overview

Encryption is an optional feature of the Serial/IP Redirector. Encryption is available in the redirector only if allowed by the license key. If encryption is available, each virtual COM port can be independently configured to use encryption for its connections.

The Encryption feature essentially offers three things:

Encryption of the data in the redirector's network connection to the serial device server. Without encryption, data on the network connection is transmitted in the clear, as read/written at the virtual COM port.
Authentication of the server's identity by requesting and processing its SSL certificate.
Transmission of the redirector's own SSL certificate, if requested by the server.

Encryption is configured in the Serial/IP Redirector using three sets of Advanced Options:

SSL Encryption — how data will be encrypted.
SSL Authentication — how a server's identity will be authenticated.
SSL Certificate — what SSL certificate will be supplied by the redirector, if requested.

A virtual COM port using encryption can be configured to use SSL v3 and/or TLS v1 protocols. In this document, the term SSL generally refers to both protocols, which effectively have the same functions.

Getting ready to use encryption

Before you configure the redirector:

Check the requirements that apply when using encryption, which are mainly related to the network peer.
If the redirector will be configured to provide an SSL certificate, you are advised to obtain your own certificate to use instead of the sample certificate provided with the Serial/IP software. The sample certificate does not provide the standard level of security.

To configure encryption

In the Serial/IP Control Panel:

Click Advanced to get the Advanced Options window.
In the SSL Encryption tab, adjust the default settings if:

you wish to restrict the available ciphers,

OR
you wish to narrow the range of available cipher strengths.

In the SSL Authentication tab, set up validation criteria and the certificate authority keys if:

any virtual COM port will accept an inbound connection with encryption,

OR
you wish to use a second level of security by validating fields in the certificate that the server supplies,

OR
you wish to use your own set of certificate authority keys instead of the default set.

In the SSL Certificate tab, specify the redirector's certificate if:

any virtual COM port will accept an inbound connection with encryption,

OR
the server will demand a certificate. (This is uncommon.)

NOTE: All encryption settings are global and apply to all virtual COM ports that use encryption.

To use encryption on a virtual COM port

In the Serial/IP Control Panel:

Select the virtual COM port.
Select the check box Use Encryption. details
If the network peer is only able to use SSL v3 or TLS v1, select the corresponding setting in the drop-down list. details

NOTE: When encryption is selected for a virtual COM port, it will only connect to network peers that support encryption.

Tips

Recommended reading for detailed information: SSL and TLS: Designing and Building Secure Systems by Eric Rescorla (ISBN 0201615983)

The encryption software used by the Serial/IP Redirector is the OpenSSL toolkit. This software is incorporated in the redirector driver and is entirely independent of any other encryption support that might be used by other applications. It does not share any code or configuration information with other software running on the computer.

SSL encryption is not the same as SSH. SSH provides secure shell functions, whereas SSL encryption is used to secure TCP connections. SSH has login-related functions not needed by a redirector and SSH is a tunneling protocol that is potentially less secure because another application could use the SSH connection for unintended purposes.

Notes

A maximum cipher strength may be imposed by the license key.