I have an intranet application that runs over https and it needs to access a websocket sever that needs to runs over wss because chrome mixed content security. Both applications use self-signed certificates but is not possible to access the websocket server because chrome doesn't trust in self-signed certificate unless user authorize. So, cause of that the connection fails. Is there a way to have a valid certificate to use in intranet application? Or is there another way to solve this problem?
You can generate a certificate for websocket.intranet.example.com with a public DNS that doesn't point to the real websocket server, and then copy that certificate in the real server.
Of course, your internal DNS resolver must point websocket.intranet.example.com to the real websocket server
Related
I am having a doubt regarding SSL certificate. We've some third party vendor who has exposed their services but asks for SSL certifcate to be attached in request.
Our java code is deployed on Weblogic server. Now we have configured SSL certificate (complete chain) in WLS using keystore. it's done on port 9003. Now when I connect with putty to my WLS over SSH and try to curl the test url of the third party vendor, I am getting un authorized error.
Upon inquiring the same to third party vendor, they said I must send my certificate with the request.
Now my question is, if my server is configured with the SSL certificate, do I need to attach certificate with every request ?
The certificate which is used to authenticate your server against some browser and the certificate which is used to authenticate yourself as a client against another server are unrelated. While in some cases they might be the same in other cases they are different. In other words: you need to attach the client certificate which is required by the other server with each request. curl will not magically do this for you.
We have a web server running on linux machine where we configured 'SSLVerifyClient' as 'require' in ssl.conf file.
Does this needs client who is utilizing the service from web browser(like firefox or chrome) needs a certificate.
If yes, then it is not possible to distribute client certificate to every user as there can be some thousands of users, how to overcome this problem.
If no, then how the data passed over network is secure? I know that certificate helps in encrypting data so that no one who don't have certificate can read data.
Please help me in clarifying my doubts
If you don't use client certificate, the https connection is still safe:
Only the client and the server can read/write the content
The identity of the server is assured by a certificate authority
Client certificate only give you client authentication in the beginning of the connection. To encrypt the data, the public key of the server is used in the beginning (See public key encryption).
If you identify the client with cookies set after login/password submit, it is still safe: you have identify the client.
When SSLVerifyClient is set to require, the client MUST pass a client certificate. You would generate these via OpenSSL, and sign them with a certificate authority that you install via SSLCACertificateFile.
How you distribute those certificates is an issue you'll have to solve yourself.
I am developing an app to run in Cloud Foundry.
The app makes constant connections to a web service using https protocol.
The web service uses a pair of self-signed certificate created by openssl.
As there is no DNS setup, I am using IP address as the Common Name(CN) in the ssl certificate.
However, the web service IP address varies from time to time. The ssl certificate has to be re-generated each time.
In order for the app to connect, it needs to trust the SSL certificate so I have been packaging the public key for the web service’s SSL cert as a file with my app.
The problem is that I have to re-upload the app to Cloud Foundry once the public key of the SSL cert changes.
Here are some possible solutions:
Register a host name in DNS. In that case, the certificate is only bound to host name. (Might not be possible cos of the budget. )
Create a private CA and issue certificates from the CA, then install the CA as the trusted CA on the client. It is feasible and a common way for internal services. However, what if the app is pushed to the CF? How can we configure the node for the certs?
Disable the SSL server authentication. Not sure whether it would put the app at risk if the authentication is skipped. For the time being, the app pulls data from the web service.
I've been thinking of keeping the public key in the database. In that case, I don't need to re-upload the app to make it take effect. But I am not sure whether it is a safe way.
Question
I am seeking for a common and safe way to keep the SSL server cert in a Cloud Foundry env. Are any of the above solutions viable? If not, is there any other CF preferred ways?
Thank you
This is a bit old, but in case this helps...
Did you try to generate your server SSL certificate with whatever hostname (even "localhost"). As you are uploading this certificate in your application (i.e. to "blindly" trust it), I think that it could work and this would avoid dependencies with your IP address.
I working to develop small HTTPS server that will be included in my android application. And the client will be browser. User can browse to the contain that I have on my HTTPS server. Can someone tell me what kind of setup do I need as far as the certificate and private/public keys are concerned. I am planning to use openssl to create my self-signed certificate.
FYI, I have initial setup done. And since my certificate is self-signed, browser displays warning to accept it on your own risk. So I believe server authentication is working. What do I need for server to authenticate the client ?
Thanks
The problem with hosting an HTTPS webserver on an android device is that the certificates are validated using a domain name. Without a domain name the client browser will display an error unless the server certificate is installed and trusted locally.
The two options are:
Register a domain name, use dynamic dns, and then request an ssl/tls certificate based on that name.
Installing self-signed certificate programmatically
There is an Android library that supports https: http://tjws.sourceforge.net/
I am completely new to the concepts of SSL/https.
My question is, does the browser send its own certificate to the web server during https communication? If yes then where on the client’s computer the certificate is stored?
A browser can send a certificate if the server requests it and it has one. Where those client certs are stored depends on the browser and operating system.