I'm trying to communicate a web application with a desktop application and I'm trying websockets.
The desktop application will be the websocket server, and the web application is the client.
Customers will have to download the desktop app (available for Mac, Windows and Linux) and install in their own computer. The desktop application is just a 'print server' to print POS tickets directly, without browser's confirmation, open cash drawer, etc.
So, the websocket client will connect to wss://127.0.0.1 (own user desktop).
Ok, the application is working perfectly with a self signed SSL certificate, but... Is it enough for production?
I mean... What type of certificate do I need for this? Can I buy a SSL certificate for the 127.0.0.1 address?
Can I use a free self-signed certificate? Do browsers accept it?
I have developed the server desktop application for Mac, Windows and Linux (and the web app for the client side) and just need a proper certificate to release the service!
Related
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
I have and old app made it in VB.NET 2010.
The App have a GUI and connect to a SOAP service(asmx) on a remote server that runs on HTTPS connection.
A few weeks ago the service provider just changed the web address so I updated the app and works ok in my PC, where VB.NET is installed, and also on a PC that never had that App installed before. But when I try to run the App in the PC that has had that app running for years; it does not work; instead I get this error.
Could not establish secure channel for SSL/TLS with authority....
I think that probably is a .config or a .xml file that the older App created and is messing something.
I also tried disabling the Windows 7 firewall with no luck.
Any clue please?
EDIT:
I just sniffed the connection and the PC that doesn't validate the certificate is trying to get some cab from
.GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab
I want to test building Progressive Web Apps and know this requires SSL. I am able to test onlocalhost (using npm http_server) but would like to test from other machines on the same local network and some mobile devices, so I need https and an SSL certificate.
I have tried using XAMPP on a windows machine, and made a certificate using makecert, but even though I installed it on Chrome on another machine, it didn't work.
Any ideas how I can achieve this ie run web server of some kind on one Windows 10 machine, host the pages using SSL and browse from another and mobile devices?
Do I have to use 3rd party certs, and would these work on a local machine (eg by local IP) rather than a domain name?
Bit confused!
I am trying to do performance test using JMeter for a mobile application. My application is secured and makes HTTPS calls. I came across below guide to install a certificate on client side. Can anyone tell me how can I get this certificate?
Do I have to buy SSL Certificate and install it on my computer and my android device?
Can some one help me to make me understand below guide in plain English? I am successfully able to record and playback when our mobile APP is not Secured i.e. able to make HTTP calls without any troubles. Thanks and any help is appreciated. Also, I am okay to pay for a Training on JMeter who can teach me how to do this. Thanks.
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
In order to be able to record the mobile device traffic you need to install JMeter's MITM certificate which will allow JMeter to intercept and decrypt secure requests.
You don't need to buy anything, the certificate is being generated in "bin" folder of your JMeter installation when you start HTTP(S) Test Script Recorder, the file is called ApacheJMeterTemporaryRootCA.crt and this is the certificate you need to install onto your mobile device/emulator in order to be able to record HTTPS traffic.
The instructions differ depending on mobile OS and even OS version, the most painful is capturing traffic on Android >= 7.0, the exact steps can be found in Bypassing Android’s Network Security Configuration and Recording Using Android Devices guides
Working with a ticketing system site that must be accessed via HTTPS at https://www.threestages.net
Our images are hosted elsewhere ( https://wserver.flc.losrios.edu/~vapa/) and also accessed via HTTPS.
We have multiple reports that Safari 4.1.3 on Macs is not displaying the images. We have no reports of this behavior from any other browser or platform.
Any one have any notion what that would be about?
Thanks for any thoughts,
JG
So it turns out that Safari has an issue with the SSL Cert at https://wserver.flc.losrios.edu/
http://www.sslshopper.com/ssl-checker.html let me know that
The certificate is not trusted in all
web browsers. You may need to install
an Intermediate/chain certificate to
link it to a trusted root certificate.
Thanks for looking at this. Valuable lessons learned:
Even if 4 out of 5 browsers accept an SSL Cert that doesn't mean they all do
Just because the sysadmin says it's not his problem/mistake doesn't make it so!
Check everything. Then repeat.