Working with a ticketing system site that must be accessed via HTTPS at https://www.threestages.net
Our images are hosted elsewhere ( https://wserver.flc.losrios.edu/~vapa/) and also accessed via HTTPS.
We have multiple reports that Safari 4.1.3 on Macs is not displaying the images. We have no reports of this behavior from any other browser or platform.
Any one have any notion what that would be about?
Thanks for any thoughts,
JG
So it turns out that Safari has an issue with the SSL Cert at https://wserver.flc.losrios.edu/
http://www.sslshopper.com/ssl-checker.html let me know that
The certificate is not trusted in all
web browsers. You may need to install
an Intermediate/chain certificate to
link it to a trusted root certificate.
Thanks for looking at this. Valuable lessons learned:
Even if 4 out of 5 browsers accept an SSL Cert that doesn't mean they all do
Just because the sysadmin says it's not his problem/mistake doesn't make it so!
Check everything. Then repeat.
Related
My software is intended to run on a Raspberry Pi.
After installing my software, a user can navigate to the webpage hosted by my software running on their Raspberry Pi from any device on their LAN.
I want my users to not have to worry about generating SSL certificates and such. Just install my software on their Raspberry Pi and navigate to the dashboard.
I can make my software automatically generate a self signed SSL certificate on the first run, but the users get warnings about self signed certificates in their browser and the site shows as insecure.
If I make my software use http instead, then chrome won't store cookies from the site so the users login doesn't last longer than one refresh.
I obviously can't distribute a CA signed certificate with my application since:
Anyone can get hold of this, so it won't be secure
It wouldn't work anyway since different users will have their Raspberry Pi on different IPs and hostnames
Is there any solution to be able to use secure HTTPS in this situation without getting warnings from browsers?
It's debatable whether this is a development question or not (it clearly isn't programming); personally I would say yes. However, it is certainly more topical in other Stacks where it has been discussed extensively e.g.:
https://serverfault.com/questions/1060268/ssl-for-devices-in-local-network
https://serverfault.com/questions/906015/how-to-setup-ssl-certs-for-a-lan-web-app-server
https://serverfault.com/questions/964119/enable-https-on-a-private-network
https://serverfault.com/questions/573528/ssl-tls-cert-get-alternative-name-to-work-with-lan-ip
https://serverfault.com/questions/447753/ssl-certificate-for-local-web-server
https://serverfault.com/questions/833178/ssl-with-no-warning-for-local-ips
https://serverfault.com/questions/1018020/distributing-ssl-certificates-to-all-browsers-in-an-active-directory-environment
(some focussed on Windows and especially AD though)
and:
https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network
https://security.stackexchange.com/questions/227020/is-https-required-for-local-network-server-to-server-communication
https://security.stackexchange.com/questions/251308/do-i-need-to-create-ssl-for-https-over-a-local-network
https://security.stackexchange.com/questions/103524/lets-encrypt-for-intranet-websites
https://security.stackexchange.com/questions/124235/deploy-intranet-application-with-ssl-certificate
I did find a few here, though, from years ago when topicality was wider:
HTTPS over intranet, what is the correct way of doing it
Are certificates useful for intranet SSL?
Do I need a SSL Certificate for an Intranet application
I am trying to do performance test using JMeter for a mobile application. My application is secured and makes HTTPS calls. I came across below guide to install a certificate on client side. Can anyone tell me how can I get this certificate?
Do I have to buy SSL Certificate and install it on my computer and my android device?
Can some one help me to make me understand below guide in plain English? I am successfully able to record and playback when our mobile APP is not Secured i.e. able to make HTTP calls without any troubles. Thanks and any help is appreciated. Also, I am okay to pay for a Training on JMeter who can teach me how to do this. Thanks.
https://www.blazemeter.com/blog/how-set-your-jmeter-load-test-use-client-side-certificates/
In order to be able to record the mobile device traffic you need to install JMeter's MITM certificate which will allow JMeter to intercept and decrypt secure requests.
You don't need to buy anything, the certificate is being generated in "bin" folder of your JMeter installation when you start HTTP(S) Test Script Recorder, the file is called ApacheJMeterTemporaryRootCA.crt and this is the certificate you need to install onto your mobile device/emulator in order to be able to record HTTPS traffic.
The instructions differ depending on mobile OS and even OS version, the most painful is capturing traffic on Android >= 7.0, the exact steps can be found in Bypassing Android’s Network Security Configuration and Recording Using Android Devices guides
Having an issue with my SSL certificate. Often it seems to work fine, but sometimes the user's browser throws up a warning that it is not trusted.
I know very little about SSL certificates, but here is some information that may or may not be relevant:
URL: demo.EnterpriseJazz.com
It is a wild card certificate because
the application uses subdomains (one subdomain per registered organization Example: BobsLawnCare.EnterpriseJazz.com)
The certificate was cheap for a wild card certificate, I paid around $50 for it if I remember correctly. I believe I got it from a cheap re-seller.
The server is located in my house on a Verizon FIOS business internet connection. It is not in a data center.
Seems to work fine with:
Safari on my new Macbook Pro
Chrome on my new Macbook Pro
Firefox on my windows machine
Microsoft Edge on my windows machine
Internet Explorer on my windows machine
Opera on my windows machine
Firefox on my Linux machine (CentOS)
Not trusted with:
Chrome on my iPhone 6s
Safari on my iPhone 6s (screen shots below)
Have a look at the SSLLabs report for this site. Apart from a shockingly insecure setup you will notice:
This server's certificate chain is incomplete.
This means that the client has not enough information to build the trust path to the root certificate and thus can not accept the certificate as trusted.
However a desktop browser will attempt to work around such setup problems by trying to fill in the missing chain certificates, i.e. downloading these from the web or using cached certificates from earlier connections to other clients. But apart from the desktop browsers most other clients will not do it and thus fail.
I had the exact same issue.
After futzing with every nook and cranny of my SSL and http setups, I finally realized "How silly I was to not check the URL first!"
My browser had been connecting to the regular non-trusted site (http://example.com) and I had blindly assumed that the broken lock icon meant something was wrong with my cert installation. Duh!
Modern browsers hiding the actual protocol letters behind a pretty icon or user-friendly message that conflates two issues into one - that didn't help.
My suggestion would be to first make sure you're hitting the https version of your site. If not, your first step to the solution is to create an automatic redirect of all http to https.
I hope getting to this post first helps at least 1% of those who had this problem. I'm in that 1%
I've got a Nexus 7 tablet with Android 4.4.2 and browsers Chrome and FireFox installed on it. When I open the website https://ib.sb24.com with it, it prompts me that the certificate is not trusted but when I open the same address with a desktop browser it's alright! Why is that?
[UPDATE]
By desktop I mean Windows and Ubuntu, Chrome and FireFox.
This looks like the server is configured wrong. It only sends a single certificate which is not signed by a known root, but instead by an intermediate CA. But the server forgets to add the needed intermediate certificates too.
The reason it works in your browser that you once browsed a site where the same intermediate CA was used and the browser cached the CA. Probably all browsers do that to help with such misconfigurations, but this does not help if the browser never visited a properly configured site with the right intermediate CA before visiting the misconfigured site.
If you don't believe me try to visit the same site with a fresh firefox profile, you will get the same problems.
Chrome most likely uses platform native store/list of trusted root certificate authorities therefore root CA which is trusted on your desktop platform (i.e. Windows) may not be trusted on Android platform.
Could you answer to at least one of these questions:
1) Is godaddy SSL standard certificate compatible with all browsers (chrome and safari on iphone, or android browsers included) ?
http://www.godaddy.com/ssl/ssl-certificates.aspx?ci=8979
2) Is it running on Apache servers ?
Those particular certs claim to have 99% Browser Recognition.
I think that's pretty high but I have found the Godaddy certs to be pretty good.
Remember they are probably not including mobile browsers in this statistic.
Also have you checked out this page as they are cheaper?
http://www.godaddy.com/ssl/ssl-certificates-verisign.aspx?isc=sslqgica15