Posts tagged SSL

Install SSLH on your Synology DiskStation


sslhYou’re in an office or using public wifi and ports other than 53, 80 and 443 are blocked. How to SSH or VPN to your DiskStation? SSLH provides a solution for this, by acting as a proxy listening on port 443 and passing the traffic to deamons like SSHd, Apache or OpenVPN. The SSLH package is available in the SynoCommunity repository but manual work needs to be done to get it working.

By default, Apache on the Synology listens on port 443 without binding to an IP-address or interface. The first step would be to change the configuration so Apache listens on port 443 on localhost only. SSH to the DiskStation and change the configuration in these 3 files:

  • /etc/httpd/conf/extra/httpd-ssl.conf
  •  /etc/httpd/conf/extra/httpd-ssl.conf-sys
  •  /etc/httpd/conf/extra/httpd-ssl.conf-user

This can be done recursively with sed:

mkdir /root/http-backup
cp -a /etc/httpd/conf/extra/httpd-ssl.conf* /root/http-backup/
sed -i 's/*:443/' /etc/httpd/conf/extra/httpd-ssl.conf*

Now change the configuration of SSLH. By default, de service listens on port 3000. The configuration file can be found in /usr/local/sslh/var/sslh.cfg. Also change your host ( to the IP-address of the Synology. In case you use multiple interfaces, the interface to your router should be the one.

When done, reboot your Synology DiskStation and test if https, ssh and/or OpenVPN works via port 443.

Changing vSphere Web Client certificate


So, you upgrades to VMware vSphere 5 and installed the Web Client. Welcome to the club. Now it’s time to change the SSL certificate from self-signed to something recognized as trusted by your browser. In my case there is already a valid wildcard certificate for *.domain.tld so let’s use this one.

First, find your private key, the certificate file and the chain-certificate. I’m using Linux myself, but openssl is available for windows to. Let’s copy them together in a working directory.

mba:demo randy$ ls -lha
total 24
drwxr-xr-x 5 rtenhave staff 170B Aug 20 13:05 .
drwxr-xr-x 6 rtenhave staff 204B Aug 20 13:04 ..
-rw-r--r-- 1 rtenhave staff 3.8K Aug 20 13:04 DigiCertCA.crt
-rw-r--r-- 1 rtenhave staff 2.4K Aug 20 13:04 star_domain.tld.crt
-rwxr-xr-x 1 rtenhave staff 1.6K Aug 20 13:04 star_domain.tld.key

As you can see we have three files. Let’s create one file that can be used on Windows by the Tomcat Java server that’s being used by the vSphere Web Client. We need to create a so-called PCKS#12 certificate bundle that will include the private key, the certificate and the chain-file. We use OpenSSL to achieve this.

openssl pkcs12 -export -out star_domain.tld.pfx -inkey star_domain.tld.key -in star_domain.tld.crt -certfile DigiCertCA.crt

The application will ask for a passphrase. The default passphrase in use by Tomcat is testpassword. You can find that one on your vCenter server in the file tomcat-server.xml located in the folder C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config. You can change it or leaf it. That’s up to you. Since the Tomcat configuration file is readable by all users and the password is stored in plain-tekst changing it does not really make sense. I’ll skip the security part and why they (VMware) should use the keyring for that. Maybe another time…

Now transfer the files to your vCenter server and place them in the folder C:\Program Files\VMware\Infrastructure\vSphereWebClient\DMServer\config\ssl. I’d suggest to take a back-up of the old certificated first.

New restart the services and your new certificate is available.



Go to Top