Skip to content

Commit

Permalink
Updated according to v2.4.0
Browse files Browse the repository at this point in the history
  • Loading branch information
albertony committed Nov 9, 2021
1 parent 20540b1 commit 661cf3f
Showing 1 changed file with 39 additions and 40 deletions.
79 changes: 39 additions & 40 deletions Command-Line.md
Original file line number Diff line number Diff line change
Expand Up @@ -64,12 +64,14 @@ This will only effect command prompts opened after the change.

The command line version of Barrier is a single client executable `barrierc.exe`
and a single server executable `barriers.exe`. They both have a dependency to OpenSSL
libraries, `libeay32.dll` and `ssleay32.dll` (used for encryption with argument
`--enable-crypto`), as well as Microsoft Visual C++ runtime libraries.
libraries, `libeay32.dll` and `ssleay32.dll` (used for encryption, unless argument
`--disable-crypto`), as well as Microsoft Visual C++ runtime libraries.

From an existing installation you can copy the necessary program files to
a location of choice, to get a command line only portable (depending on configuration)
installation. Copy the following files from the installation directory `C:\Program Files\Barrier`:
installation. It is also possible to extract the files directly from the installer
by using the tool [innounp](http://innounp.sourceforge.net/).
Copy the following files from the installation directory `C:\Program Files\Barrier`:

```
barrierc.exe
Expand All @@ -78,22 +80,18 @@ libeay32.dll
ssleay32.dll
```

To be able to generate server certificate, you can also choose to include the OpenSSL
application itself (on the server), together with Barrier's predefined OpenSSL
configuration file:
As long as you have the
[Microsoft Visual C++ Redistributable for Visual Studio 2019](https://visualstudio.microsoft.com/downloads/)
installed (or copy the necessary runtime libaries `msvcp140.dll`, `vcruntime140.dll` and
`vcruntime140_1.dll` into the application directory), you will now have a stand-alone
application directory that you can manually copy into computers where you need it.

```
openssl.exe
barrier.conf
```

As long as you have the [Microsoft Visual C++ Redistributable for Visual Studio 2019](https://visualstudio.microsoft.com/downloads/) installed (or copy the necessary runtime libaries
`msvcp140.dll`, `vcruntime140.dll` and `vcruntime140_1.dll` into the application directory),
you will now have a stand-alone application directory that you can manually copy into computers
where you need it.
To be able to generate server certificate used for encryption, you may need a separate
OpenSSL installation (on the server).

For a completely portable installation, with local configuration, you must configure the
location of server configuration file and SSL/TLS configuration files. See [Text File Configuration](#text_config), [Server Command Line Options](#server_cli),
location of server configuration file and SSL/TLS configuration files. See
[Text File Configuration](#text_config), [Server Command Line Options](#server_cli),
[Client Command Line Options](#client_cli) and [SSL/TLS Configuration](#ssl_config), below.

<a href="#top">Back to top</a>
Expand Down Expand Up @@ -164,8 +162,10 @@ Options:
-l --log <file> write log messages to file.
--no-tray disable the system tray icon.
--enable-drag-drop enable file drag & drop.
--enable-crypto enable the crypto (ssl) plugin.
--enable-crypto enable the crypto (ssl) plugin (default, deprecated).
--disable-crypto disable the crypto (ssl) plugin.
--profile-dir <path> use named profile directory instead.
--drop-dir <path> use named drop target directory instead.
-f, --no-daemon run in the foreground.
```

Expand Down Expand Up @@ -193,8 +193,10 @@ Options:
-l --log <file> write log messages to file.
--no-tray disable the system tray icon.
--enable-drag-drop enable file drag & drop.
--enable-crypto enable the crypto (ssl) plugin.
--enable-crypto enable the crypto (ssl) plugin (default, deprecated).
--disable-crypto disable the crypto (ssl) plugin.
--profile-dir <path> use named profile directory instead.
--drop-dir <path> use named drop target directory instead.
-f, --no-daemon run in the foreground.
--daemon run as a daemon. (*)
```
Expand Down Expand Up @@ -552,8 +554,8 @@ sections, `[General]` and `[internalConfig]`.
## <a name="ssl_config">SSL/TLS Configuration</a>

Barrier supports SSL/TLS encryption, by use of the `OpenSSL` library (included).
This must be anabled with command line argument `--enable-crypto`, and requires a
certificate and fingerprint to be configured.
Starting with version 2.4.0 this is enabled by default, but requires a certificate
and fingerprint.

The SSL related configuration is kept in subdirectory "SSL" in the same user specific location
as the [text file configuration](#text_config) is loaded from: By default
Expand All @@ -568,7 +570,8 @@ connection. A server's fingerprint must be generated from the certificate, and m
in file `SSL/Fingerprints/Local.txt` on the server. All clients must have the fingerprint
hash string of trusted servers in a file `SSL/Fingerprints/TrustedServers.txt`.
When connecting to a server, if it presents a fingerprint not explicitely trusted by the client,
it will refuse the connection. See also [Fingerprint trust troubleshooting](https://github.com/debauchee/barrier/wiki/Troubleshooting#fingerprint-trust).
it will refuse the connection. See also
[Fingerprint trust troubleshooting](https://github.com/debauchee/barrier/wiki/Troubleshooting#fingerprint-trust).

The server will therefore typically contain the following files:
```
Expand All @@ -586,35 +589,31 @@ Clients must contain the following file:
The main UI application has built-in functionality for handling encryption.
In server mode it will generate a self-signed server certificate and a fingerprint.
In client mode it will prompt for you to accept the server's fingerprint, and add
it to your list of trusted servers.
In a command line only ([portable](#portable)) environment you will have to handle
this manually. You can use the OpenSSL command line utility which is included in
a Barrier installation together with a Barrier specific OpenSSL configuration
file `barrier.conf`. To create them the same way as the UI application does,
you can follow the following Windows example. It uses `openssl.exe` and `barrier.conf`
from a Barrier installed in default location `C:\Program Files\Barrier`, generating
configuration in default location `%LocalAppData%\Barrier\SSL`. If you have the
OpenSSL files in a different location and/or are planning to keep the SSL files in
a custom location specified with command line argument `--profile-dir`, you must
change the paths in the example accordingly.
it to your list of trusted servers. In a command line only ([portable](#portable))
environment you will have to handle this manually.

To manually create the certificate and fingerprint similar to how the UI application does
it, you can follow the Windows example below. It creates them in the default location
`%LocalAppData%\Barrier\SSL`. If you have the are planning to keep the SSL files in a
custom location specified with command line argument `--profile-dir`, you must change
the paths in the example accordingly. It also requires an OpenSSL installation,
e.g installer from [http://slproweb.com/products/Win32OpenSSL.html] installed into
default location `C:\Program Files\OpenSSL-Win64`.

```
MKDIR "%LocalAppData%\Barrier\SSL\Fingerprints" >NUL 2>&1
SET OPENSSL_CONF=C:\Program Files\Barrier\barrier.conf
SET RANDFILE=%LocalAppData%\Barrier\SSL\.rnd
"C:\Program Files\Barrier\openssl.exe" req -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:2048 -keyout "%LocalAppData%\Barrier\SSL\Barrier.pem" -out "%LocalAppData%\Barrier\SSL\Barrier.pem"
IF EXIST "%RANDFILE%" DEL "%RANDFILE%"
FOR /F "tokens=2 delims=^=" %a in ('""C:\Program Files\Barrier\openssl.exe" x509 -fingerprint -sha1 -noout -in "%LocalAppData%\Barrier\SSL\Barrier.pem""') DO ECHO %a > "%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt"
"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -config "C:\Program Files\OpenSSL-Win64\bin\openssl.cfg" -x509 -nodes -days 365 -subj /CN=Barrier -newkey rsa:2048 -keyout "%LocalAppData%\Barrier\SSL\Barrier.pem" -out "%LocalAppData%\Barrier\SSL\Barrier.pem"
FOR /F "tokens=2 delims=^=" %%a in ('""C:\Program Files\OpenSSL-Win64\bin\openssl.exe" x509 -fingerprint -sha256 -noout -in "%LocalAppData%\Barrier\SSL\Barrier.pem""') DO ECHO v2:sha256:%a > "%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt"
```

Now, on any clients you must manually ensure there is a text file
`%LocalAppData%\Barrier\SSL\Fingerprints\TrustedServers.txt`,
and append a line to it, with the hash string from the server's
`%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt`,
and append the line from the text file
`%LocalAppData%\Barrier\SSL\Fingerprints\Local.txt` on server,
e.g.

```
96:32:AB:DD:38:5C:E5:21:20:8E:52:E8:83:28:A0:2A:CC:CC:8F:A3
v2:sha256:92:D0:AB:DD:38:5C:E5:21:20:8E:52:E8:83:28:A0:2A:CC:CC:8F:A3:70:41:9B:A6:D7:98:9C:ED:50:3F:D7:FE
```


Expand Down

0 comments on commit 661cf3f

Please sign in to comment.