Encrypted Network Connection

Last updated on Jan 18, 2021

An HVR connection to a remote HVR location can be encrypted so that communication over the network is more secure. When encryption is activated for an HVR location, every byte sent over the network (in either direction) is encrypted with the TLS protocol. 

Since HVR 5.3.1/21, HVR uses TLS version 1.3 and prior to HVR 5.3.1/21, HVR used TLS version 1.0.

For network encryption, HVR uses OpenSSL, which was developed by the OpenSSL Project.

If necessary, the HVR hub and each remote location in an HVR channel can be given their own private key/public certificate pairs, so that both the hub and the locations can verify each other's identity.

To allow the hub to verify the identity of each remote location:

  1. Supply the location's public certificate and private key to the HVR child process on a remote machine.
  2. On the hub, use parameter LocationProperties /SslRemoteCertificate to point to a copy of the location's public certificate.

To allow the remote location to verify the identity of the hub:

  1. On the hub, supply the hub's public certificate and private key using parameter LocationProperties /SslLocalCertificateKeyPair.
  2. On the remote location, point to a copy of the hub's public certificate in the HVR's access file access_conf.xml. For more information, refer to section Hvrproxy.

The RSA public certificate/private key pair is used to authenticate and start a session in HVR. The public certificate is embedded in an X509 certificate, and the private key is encrypted using an internal password with an AES256 algorithm. By default, the keys used for this asymmetric negotiation are 2048 bits long, although longer key lengths can be specified when generating a public certificate and private key pair. For more information, see command hvrsslgen.

The HVR hub guards against third parties impersonating the remote HVR location (e.g. by spoofing) by comparing the SHA256 checksums of the certificate used to create the secure connection and its own copy of the certificate.

Public certificates are self-signed. HVR checks that the hub on the remote machines' copies of this certificate are identical, so signing by a root authority is not required.

For the steps to set up an encrypted remote connection, refer to section Configuring Encrypted Network Connection.