We are trying to make more secure a WebRTC gateway. To ensure this, we decide to validate incoming WebRTC certificate via OCSP/CRL, but when we took a Wireshark capture, we realized that WebRTC using a self-signed certificate during DTLS as you can see from the link at below;
WebRTC Self-Signed Image
Because of self-signed certificate, there is no way to use OCSP/CRL. So is there any way to import and use CA-signed certificate for WebRTC engine?
Thank you for your help.
WebRTC has generateCertificate() static function where you can specify the algorithm for signing certificates.
From the link above:
RTCPeerConnection.generateCertificate({
name: 'RSASSA-PKCS1-v1_5',
hash: 'SHA-256',
modulusLength: 2048,
publicExponent: new Uint8Array([1, 0, 1])
}).then(function(cert) {
var pc = new RTCPeerConnection({certificates: [cert]});
});
Related
I am developing an app with a server part programmed in Go and a client programmed in C#, the connection between the two is made using TCP socket communication, and to ensure the connection I am using TLS.
My question is whether there would be any security problem in my case when using self-signed certificates for TLS communication.
I understand that for a web server that uses https it is necessary to use certificates signed by a certificate authority (CA) but in my case, when connecting my own client application I don't see why I should use one of these.
If anyone knows anything about it, it would be a great help.
Certificates are used for authenticating the end points, and usually the cert is signed by a certificate authority which your client (such as a web browser) already trusts. Using a self-signed cert in that scenario can lead to problems, as the browser won't trust it, and so will pop a warning box. However, the real issue is that for the typical user, a warning from your server is as good as indistinguishable from an attacker using another self-signed certificate. They'll click-away and KABOOM!
If this is a closed environment, and you control both the server and client, then the self-signed certificate is irrelevant. In fact, you don't even need one at all, and may be better off with one of the alternatives, like TLS-PSK, or TLS-SRP.
Say I have a flutter app and an intranet server. The flutter client will try to talk to the server in TLS. I understood that we can generate a self signed certificate in server and I can have flutter client app load the certificate to talk to the server. I am thinking that if I store that certificate in asset, would that be secure ?
Seems that if someone got the certificate from asset, they can then talk to the server. Is that true ? If that is true that it seems that self certified certificate is not very secure.
Certificates are public, you're storing a copy of your self-signed certificate locally for your TLS client to trust it, as it'll only trust the system CAs by default. So no, nothing will be compromised if you store your certificate client-side.
What you shouldn't store client-side are private keys, they typically start with
-----BEGIN PRIVATE KEY-----.
Is there a way to create self-signed certificate on IOS programatically?
We have a client-server connection, where the pairing is confirmed just once and then the certificate is used every time to re-establish connection.
right now we're doing it using openssl, but that is a little bit excessive for our needs. does ios have any mechanisms that would
generate the x509 certificate
apply it to socket (ergo create equivalent of SSL socket)
query certificate sent by the server, so that it could be stored to verify server identity?
thank you!
My application uses ASIHttpRequest for my server communication. I have a requirement that I should block HTTP protocol cos I dont wont to transmit that data over insecure link. So only SSL over HTTPS will be allowed. Also even thought the link is HTTPS I need to ensure that I am calling to the correct certificate. So I need a server certificate validation in my code. Please guide me how to do this.
I researched on this. I found few possible answers. One is to create a client certificate and do the validation. Also there are ways to "Client certificates support" under ASIHttpRequest documentation. So how to achieve my requirements above. Also integration of CFNetwork code into ASIHttpRequest will also do.
Regards,
Dilshan
You can get a validated certificate from an certificate authority like StartSSL or Thawte. Then iOS checks if the certificate is trusted by an authority. iOS comes with different trusted authorites.
If the server certificate is not validated by an authority the connection is rejected.
You don't need to do something special in code. Only use a https connection.
I have used push notification for my project & was working fine with HTTP connection. Server was responding well. Now Its not working with HTTPs . Please guide if any one figure it out. What's the solution ?
You can't use a self-signed certificate, as far as I'm aware.
From the developer guide:
For each interface you should use TLS (or SSL) to establish a secured
communications channel. The SSL certificate required for these
connections is provisioned through the iPhone Developer Program
portal. (See "Provisioning and Development" for details.) To establish
a trusted provider identity, you should present this certificate
to APNs at connection time using peer-to-peer authentication.