I can't for the life of me find how to configure client certificate validation with Heroku SSL endpoint. Is is supported at all? Is there an alternative add-on that does support it?
I asked their support about this and this was their answer: https://help.heroku.com/tickets/128194
So it would appear that server side verification of client certificates isn't supported by heroku right now if you rely upon their web server. I.e. having a server hosted on heroku check the client certificate provided by the connecting client. This requires a check at the web server level.
However I did come across this for nodejs:
https://www.npmjs.org/package/client-certificate-auth
which would lead me to believe that for nodejs is should be possible, since you have full access to the http(s) server. I haven't tried it though
Related
I'm using a React frontend application on a domain with a valid SSL certificate, which makes calls to a Django backend application on a VPS (Ubuntu 20.04, apache2), which doesn't have a domain name registered (instead the calls are being made using the IP of the server). The server doesn't yet have a valid SSL certificate which prevents the React app from receiving the resources. Self-signed won't work since it's then not valid in the browser (I might be wrong here).
Do I also need to register a domain name for the backend API server for the SSL certificate to be valid or can I just buy an SSL certificate and work from there?
To even get an SSL certificate back from the vendor, you need a fqdn (fully qualified domain name). That information is used to sign and create the certificate request. Your webserver won't even properly encrypt until you have valid signed certificate for the server in question. You can expand the number of hosts that a certificate will serve by buying a wildcard certificate (*.example.com vs specifichost.example.com)
If your back end server is on some cloud or hosted service, you can use self signed certificates but you would have to disable "strictness" in your front end. If you're at any time performing financial transactions this is not advisable.
If you're making axios calls, here's a pretty good article on disabling https strictness (https://github.com/axios/axios/issues/535).
Your vendor for the VPS might have some helpful information on how to harden up the server.
If this is not how you'll be doing this in production and the setup you describe is for testing only, then probably you want to use the environment to set a variable indicating 'strict' or 'test' and switch your calls accordingly. That way, a relaxed setup will work in test or in your sanbox, but production would use a properly configured host with a valid certificate.
I have an application running on IIS 8.5 on my Windows Server 2012 and I have configured it to use this certificate I just bought. So now I can access the website using https protocol.
I have node.js clients running on some computers outside my network and posting some data to the server from time to time. I want to secure that connection now that I have a SSL certificate. I've been googling around for a couple of hours and I was not able to have the picture of what I need to do.
My goal would be to do the HTTP POST from client and only the clients using the certificate would be allowed to upload data to my https://example.com/upload url.
Firstly, I need to configure IIS so that requires a certificate when doing the handshake but I have no option for that in the authentication panel inside my webapp. I only have these options:
What am I doing wrong?
Click on SSL Settings
Then tick Require SSL
I'm implementing an SSL layer for a web server project. I'm using polarSSL, though I think this question is a general SSL question.
When I get a connection to my server from a client I configure the SSL protcol like this:
ssl_set_endpoint( &mSsl, SSL_IS_SERVER );
ssl_set_authmode( &mSsl, SSL_VERIFY_NONE );
E.g. I'm not verifying the connection from the client. Do I need to do this?
Most browsers don't have client side certificates - though some do (I think). Is there any need or advantage for the server to verify the client? This is for a service where I would happily serve the data to a client that had no client side certificate at all.
Client-side authentication in SSL/TLS is used when it's required for the server to know its client. For example, it's widely used in banking, to access custom corporate servers etc.
In opposite, the common web server is intended to serve wide audience and not care about who's coming in. So client-side authentication is not used unless you know that you need it.
I have a Ruby on Rails app running on Heroku server. As I'm testing the app with SSL certificate, I added a non-paid one like this tutorial explains, and forced the server app to use SSL with RackSSL gem.
So, I also have an Android client and I have some doubts:
How do I verify if the client request is using the same certificate?
How do I force SSL only on specific Rails routes?
Thanks in advance!
Ad. 1, do as suggested in the guide: Visit the endpoint and look at the certificate that gets served up (it should be the one you added). Note that the certificate is not different depending on the client accessing Heroku, it's something that Heroku serves up to clients accessing the endpoint so you can verify this using either a normal desktop browser or your smartphone.
Ad. 2, check out this answer which suggests rack-ssl-enforcer.
The ColdFusion documentation is weak on how and when to use it. What does it do? How does one use it?
Update: it seems to be broken, as outlined in Washing Client Certs in ColdFusion with SOAP – Part 2.
problems with CFHTTP handling SSLv3 sessions
Client certificates are a bit of a pain because of the overhead involved in using it.
As Jura says, you'll need a target server that uses client certificates as a mechanism for authentication. This server side piece does not need to be CF-based. The web server (IIS, for example) would be set up to require this. This is part of the SSL/TLS protocol, not specific to any language at the application level.
You would use this if the server you are requesting a resource from requires client certificates. The administrator of that server would need to give you the client certificate and private key ahead of time. As mentioned by user349433, this is commonly a PKCS12 (.p12 or .pfx) file.
The server will validate that the client certificate is "trusted" and if it is, it will allow the TLS/SSL handshake to proceed, and CF will be able to write the HTTP request on top of it.
The use case today is to prevent man-in-the-middle attacks, but because of the overhead involved with certificate distribution, revokation, etc. it's not terribly common.
If you want to know more about it, check out TLS 1.1 specification:
https://www.rfc-editor.org/rfc/rfc4346
https://www.rfc-editor.org/rfc/rfc4346#section-7.4.6
You are using client certificate in case if the target server uses that mechanism for authentication. You'll need to obtain specific client certificate from the service provider in order to be able to connect to the service. It's been used for some internet banking applications back in days I believe. Not sure what is the use case today for it, may be distributed corporate networks where you need to connect to corporate server over internet in a highly secure manner?