I have an app that works great using the http. I had to disallow the transport setting of course while I developed.
I got a SSL/TLS (see below) certificate from GoDaddy and want to secure my APP and change my http: to https and get the error attached see image.
If you have correctly installed the certificate on your server, then you don't need to add any exceptions on the iOS app.
ATS (App Transport Security) was introduced by Apple so that your app uses https and not http for your communication with servers. Have a look at this URL for more info if you need to put an exception.
Related
I do not know is it correct way or not but I am trying to get certificate from macos keychain and use it on flutter httpclient to establish a Certificate based connection. I just wonder is it possible or not.
For now i can get the certificate with native code with and i am returning the data:
var certificate: SecCertificate?
SecIdentityCopyCertificate(identityNotNil, &certificate)
let data = SecCertificateCopyData(certificate!)
then i try to use it like inside flutter:
SecurityContext context = SecurityContext.defaultContext
..useCertificateChain(certificateByteArray, password: 'password');
var _client = HttpClient(context: context);
but i am getting error about bad certificate. Maybe there is a way to reach keychain directly from flutter.
Thank you.
To be more specific, i am trying to use a certificate like :
https://developer.apple.com/documentation/usernotifications/setting_up_a_remote_notification_server/establishing_a_certificate-based_connection_to_apns
I assume that your question relates to flutter web - not a standalone Mac OS application? Then I can think of the following scenarios:
Use client certificates to establish an SSL based secure transport layer with certificate based authentication.
Use client certificates to exchange encrypted messages with encryption done by the application (both client and server) or use client certificates on the application layer for Authentication only.
Scenario 1: SSL with client certificates
In flutter web, HTTP Connections are only supported via XMLHttpRequest - the underlying JavaScript Object - under the hood flutter web code is transformed into JavaScript code. XMLHTTPRequest does NOT support any Client Certificates.
But you can configure the Browser to use client certificates when connecting to a WebServer via SSL - this would be fully transparent to the flutter web app. All modern browsers support client certificates and do access the MacOS keychain.
Of course, the server need to support SSL with client certificates. E.g. if you want to use client certificates in order to authenticate to a Spring Application based on SSL client certificates, this is described here:
Spring Security - Pre-Authentication Scenarios
Scenario 2: Application layer encryption/authentication
This is a very unusual scenario, as web applications usually rely on SSL for many good reasons: No coding is required and its pretty secure. But of course, it is technically feasible to implement encryption of all messages exchanged with the server on your own.
Letting aside the pure coding work (encryption libraries also exist for flutter), the key problem is to get the certificate and the private key into the application. Loading the certificate from the server without prior authentication (like the web app itself or all assets) would be a major security flaw, because then an attacker could also easily download the certificate/private key.
The only secure way I can think of, is to obtain the certificate and private key form the client computer. Unfortunately, a flutter web app - like every JavaScript app - is running in a Sandbox within a Browser, which puts major constraints on the application - for good Browser security reasons. Due to this sandbox, the flutter web app CANNOT access the Mac OS keychain directly.
But you can let the user pick a file with the certificate and private key. This is described here:
How to Pick files and Images for upload with flutter web
I want to capture traffic from a host using HTTP, but I do not see a response coming back. If I close fiddler, my application runs as normal.
I see '-' in the Result section, where it should have been an HTTP response code. If I manually execute the request using Composer, I get a 200 response. Fiddler is able to capture traffic from all other web applications without issue.
I have installed Fiddler certificate. Troubleshooting Mode returns 200. The host does not use HTTPS, but I have enabled Capture HTTPS Connects anyways.
I am using Fiddler v5.0.20182
Some applications performs certificate pinning. Also web applications can perform certificate pinning e.g. via HTTP Public Key Pinning (HPKP). If you have ever used the web application in your browser without Fiddler, the web app public key has been downloaded and cached in the web-browser.
Afterwards the Fiddler root certificate is no longer accepted for that site/app even it it has been installed correctly. You should be able to identify such problematic connections in Fiddler if you only see a CONNECT request but no subsequent requests to the same domain.
To delete the HPKP in your web browser you should use a fresh profile or clear the complete browser cache. Afterwards only use it with activated Fiddler proxy and SSL decryption. As far as I know Fiddler will remove HPKP data from responses so that the web application should also work with Fiddler in between.
I think you should be able to uncheck the options for https, uncheck the boxes which appear checked here? Or you might be able to skip decryption by adding the host in the box below where it says Skip decryption for the following hosts
we have set up a CalDAV server here with SOGo as backend and frontend (WEBUI). Which is working as expected.
But there are some errors which I cannot reproduce and the logging also gives no hint since there is no logging:
1) macOS 10.11 - latest release
I can login to CalDAV, I can create entries (which are synced) and they show up in WEBUI. But events created in WEBUI are not synced.
2) Same credentials, same usage on iPhone iOS12 - I can't even log in to the calender.
Here the HTTP error in the log indicates a "Forbidden"...but as stated the credentials are correct - maybe iOS sends a authentication methode which is not installed on my server?
Dan
The answer to this question is very simple and seems intuitive:
Install SSL certificate for https connections to SOGo web-root
Forward all http requests to https
I set everything well and some https request did be proxied well, but some are still unknown , is there any new way I don't known to prevent being proxied ?
I found that the https connections checked the cert on apps their own. Which means you can't just add the cert to your device's system and hope it works.
There are more works should be done to capture these data by using proxy.
More detailed things are you have to hack the app to capture. For those information just google "JustTrustMe".
Is it possible to link e.g. libcurl to an iphone app in order to have complete control over https certificates? Or will they typically flag this during review? Is this also a possible way to bypass application transport security? Are iphone apps even allowed to make tcp connections to port 443?
We use our own root certificate (expired though) for the APIs of our product and don't have a central server. All our clients do the necessary checks to never accept any other certificate than the ones signed by us. We want our iphone app to connect directly to our product (deployed at customers) and the product uses our certificates and cannot use tls 1.2 for the next years. Therefore we also want to bypass the strict requirement of application transport security to use tls 1.2.