Encryption of traffic in Direct Connect, Part 2
- Tutorial
- Who are you???
- I am a new Russian.
- And then who am I?
Preface
In the first part of the article, we built the ADCs hub and talked about Direct Connect as a whole.
Today we have to learn how to use such a hub for its intended purpose. To do this, we’ll talk about the features of compatible DC clients and make them friends with TLS.
In the settings of each of them you will need to pay attention to the Encryption section , also known as Security & certificates or Security .
AirDC ++
Advanced heir to the legendary fulDC ++, the very first mod of the original client. Visible and adequate.
The AirDC ++ settings for working on the ADCs hub. The
key and certificate are generated when the client is first started (or on demand) and valid for 360 days.
Note that when connecting clients to each other, TLS can also be used on a normal ADC hub, but with an unpredictable result (see the previous part of the article).
And what for the client is hub with trusted certificate ?
As the tests showed, even if you feed the real hub, a certificate signed by the authorization center (or at least from Let's Encrypt), it will not be trusted for the client.
[S] = Secure, [U] = Untrusted
The criterion of trust for the ADCs of the hub is the coincidence of the certificate fingerprint obtained by the client itself with the explicitly indicated in the address of the hub.
It is touching, but useless, because the keyprint will not be forever the same; which means it is not suitable for mass use.
A better way to get the coveted [S] is to save the hub certificate in a folder specifically designed for this (it usually coincides with the one in which the client stores its own "documents"). The certificate, of course, must be requested from the hub administrator.
What is direct encrypted private message channels ?
DC ++, AirDC ++ and, suddenly, SharikDC can send private messages to each other over a secure channel , bypassing the hub. Hello, Telegram! ..
DC ++
The original NMDC / ADC client, the most unassuming. However, the safety of its developerspay a lot of attention.
Settings DC ++ for work on ADCs hub
ApexDC ++
Settings ApexDC ++ for work on ADCs hub
The most tolerant. It focuses on the security settings of the remote client - therefore, along with the secure ones, normal connections can also be skipped (for example, with unconfigured FlylinkDC ++).
Anyway, this is the best option for the "hot" replacement completely obsolete StrongDC ++.
EiskaltDC ++ EiskaltDC ++
settings for working on ADCs hub
FlylinkDC ++
The strictest and most inadequate. And the translation of options is not quite correct.
Settings FlylinkDC ++ for work on ADCs hub
Strict, because it requires all and all signed certificateswhich still can not check . Inadequate, because by default it completely ignores secure connections and allows normal ones.
AirDC ++ vs. FlylinkDC ++
Epilogue
In case of successful connection setup using TLS (for example, when downloading fajllisty) column Cipher or Identifier in window transmission is full (in AirDC ++ differently cm. Below)
As you can see, is not without roughness, but TLS occurs in DC be works; There are plans to further develop this topic. By the way! On February 10th of this year, the first online meeting of the DC community this year will be held at 19:00 CET at the DCNF office . there will be a public discussion of one new idea… Interesting? Then go for a light!
- I am a new Russian.
- And then who am I?
Preface
In the first part of the article, we built the ADCs hub and talked about Direct Connect as a whole.
Today we have to learn how to use such a hub for its intended purpose. To do this, we’ll talk about the features of compatible DC clients and make them friends with TLS.
In the settings of each of them you will need to pay attention to the Encryption section , also known as Security & certificates or Security .
It is needless to mention that when using the active mode, the TCP port for TLS should also be forwarded.
AirDC ++
Advanced heir to the legendary fulDC ++, the very first mod of the original client. Visible and adequate.
The AirDC ++ settings for working on the ADCs hub. The
key and certificate are generated when the client is first started (or on demand) and valid for 360 days.
Note that when connecting clients to each other, TLS can also be used on a normal ADC hub, but with an unpredictable result (see the previous part of the article).
And what for the client is hub with trusted certificate ?
As the tests showed, even if you feed the real hub, a certificate signed by the authorization center (or at least from Let's Encrypt), it will not be trusted for the client.
[S] = Secure, [U] = Untrusted
The criterion of trust for the ADCs of the hub is the coincidence of the certificate fingerprint obtained by the client itself with the explicitly indicated in the address of the hub.
*** Connecting to adcs: //babylon.aab21pro.org: 412 /? Kp = SHA256 / 1QTHF6U3SDQPQKCCGGZZYK4LQS322MIXI64GMAX7PXLGKYCYTJOQ ...
*** TLS error: Keyword mismatch
*** allow to proceed with untrusted connection
It is touching, but useless, because the keyprint will not be forever the same; which means it is not suitable for mass use.
A better way to get the coveted [S] is to save the hub certificate in a folder specifically designed for this (it usually coincides with the one in which the client stores its own "documents"). The certificate, of course, must be requested from the hub administrator.
What is direct encrypted private message channels ?
DC ++, AirDC ++ and, suddenly, SharikDC can send private messages to each other over a secure channel , bypassing the hub. Hello, Telegram! ..
DC ++
The original NMDC / ADC client, the most unassuming. However, the safety of its developerspay a lot of attention.
Settings DC ++ for work on ADCs hub
ApexDC ++
Settings ApexDC ++ for work on ADCs hub
The most tolerant. It focuses on the security settings of the remote client - therefore, along with the secure ones, normal connections can also be skipped (for example, with unconfigured FlylinkDC ++).
Anyway, this is the best option for the "hot" replacement completely obsolete StrongDC ++.
EiskaltDC ++ EiskaltDC ++
settings for working on ADCs hub
FlylinkDC ++
The strictest and most inadequate. And the translation of options is not quite correct.
Settings FlylinkDC ++ for work on ADCs hub
Strict, because it requires all and all signed certificates
AirDC ++ vs. FlylinkDC ++
Epilogue
In case of successful connection setup using TLS (for example, when downloading fajllisty) column Cipher or Identifier in window transmission is full (in AirDC ++ differently cm. Below)
As you can see, is not without roughness, but TLS occurs in DC be works; There are plans to further develop this topic. By the way! On February 10th of this year, the first online meeting of the DC community this year will be held at 19:00 CET at the DCNF office . there will be a public discussion of one new idea… Interesting? Then go for a light!