I am using chrome.sockets.tcp API to create a secure connection. No errors are being encountered when connecting using a trusted certificate.
However, I'm facing error -202 (CERT_AUTHORITY_INVALID) (among other possible [certificate errors][2]) when trying to connect to a server with a self-signed/untrusted certificate.
Is it possible to warn the user about the invalid certificate and provide the option to continue with the connection? (similar to the way Chrome handles such situations)
Seeing nothing on the topic in the docs (and SocketsTcpSecureFunction::AsyncWorkStart(), the source code of chrome.sockets.tcp.secure, only verifies the certificate but doesn't try to handle the errors, it would only report them back) I'd conclude there's no way to interactively handle this predicament.
Maybe you can import the certificate on the client machine but it won't help other users of the site unless they're willing to do the same.
Related
I am developing an app with a server part programmed in Go and a client programmed in C#, the connection between the two is made using TCP socket communication, and to ensure the connection I am using TLS.
My question is whether there would be any security problem in my case when using self-signed certificates for TLS communication.
I understand that for a web server that uses https it is necessary to use certificates signed by a certificate authority (CA) but in my case, when connecting my own client application I don't see why I should use one of these.
If anyone knows anything about it, it would be a great help.
Certificates are used for authenticating the end points, and usually the cert is signed by a certificate authority which your client (such as a web browser) already trusts. Using a self-signed cert in that scenario can lead to problems, as the browser won't trust it, and so will pop a warning box. However, the real issue is that for the typical user, a warning from your server is as good as indistinguishable from an attacker using another self-signed certificate. They'll click-away and KABOOM!
If this is a closed environment, and you control both the server and client, then the self-signed certificate is irrelevant. In fact, you don't even need one at all, and may be better off with one of the alternatives, like TLS-PSK, or TLS-SRP.
How to change security policy in milo example server? I've tried to connect to milo's opc server with UaExpert, and set the security policy. No matter what security policy I choose, the result is the same error:
ERROR o.e.m.o.s.s.t.u.UascServerAsymmetricHandler - [remote=/127.0.0.1:33762] Exception caught; sent ErrorMessage{error=StatusCode{name=Bad_SecurityChecksFailed, value=0x80130000, quality=bad}, reason=certificate path validation failed}
io.netty.handler.codec.DecoderException: UaException: status=Bad_SecurityChecksFailed, message=certificate path validation failed
How can I configure it correctly?
Second question: The example server seems quite complicated. What is the simplest way to create a server and connect to it? Is there a minimal example for that?
Welcome to stackoverflow
I do not know the Milo server and I have not almost used UAExpert but:
The client must trust the server certificate and the server must do the same with the client's certificate and of course both sides must have their certificate, sometimes the client and the server automatically create one if it doesn't exist but sometimes it should be created previously by external ways.
Help about UAExpert http://documentation.unified-automation.com/uaexpert/1.4.3/html/first_steps.html
If you don't want to deal with certificates then choose then endpoint with SecurityPolicy None when connecting:
Otherwise, note the security directory the example server logs on startup. Something like:
INFO o.e.m.examples.server.ExampleServer - security temp dir: /var/folders/1v/2pxlxd_x4bsdxz25_fv7r0940000gn/T/security
Navigate to the security directory and you'll find the UaExpert client certificate in the pki/rejected folder. You can move it to pki/trusted/certs and then connect with security from UaExpert.
My application requires LWP under SSL, but I can't seem to get it to connect properly without receiving an error.
certificate verify failed)LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at C:/Perl/site/lib/LWP/Protocol/http.pm line 51.
Whenever I load up the website in FireFox on my server, I receive
This connection is untrusted (Technical error: sec_error_unknown_issuer)
Whenever I load it up in Chrome, it verifies absolutely fine.
I can load the page up in FireFox and Chrome on my computer and receive no SSL verification errors at all.
I have no clue what is different between my PC and my server; they're both using the exact same FireFox versions so I'm not sure why it wouldn't verify properly on there.
I've tried workarounds by putting in $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0 in the Perl script but it seems to throw the same exact error still.
This is the script I'm using to test HTTPS
Does anyone know any solution to this or any workaround?
I've tried workarounds by putting in $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0
As the name of the option implies it cares only about disabling the check of the hostname against the certificate. It does not disable the validation of the certificate chain.
Whenever I load up the website in FireFox on my server, I receive ...
Since you get validation errors with Firefox and LWP but not with Chrome, Chrome has probably an additional CA as trusted which they others don't have.
From your code it looks like that you are using Windows and from my understanding Firefox comes with its own CA store, LWP uses Mozilla::CA (which contains the CAs usually shipped with Firefox) but Chrome uses the system CA store. Thus there is probably a CA in the system store which Firefox and LWP don't know about.
While it might be that there is some special esoteric CA which is known to the default Windows CA store but not to Firefox, it is more likely that you are behind some SSL inspecting firewall and that the administrators added the necessary proxy certificate to Windows CA store but not to Firefox or LWP's store. I would suggest you check the certificate chain inside the Chrome browser and look at the top (builtin) certificate.
If you consider the CA trusted you might export it and import it into Firefox. You might also make LWP use this CA by saving it in PEM format and then set the PERL_LWP_SSL_CA_PATH environment variable to point to the saved file or use the SSL_ca_path option in the ssl_opts setting to make LWP use this CA certificate for validation.
If this explanation does not lead to a solution please provide more details about the target URL you are trying to access and the network setup you have, especially if there is a SSL intercepting proxy or firewall. Please provide also information about the version of LWP you are using, because there changed a lot with version 6.
I'm facing a funny issue here.
I got a C# Webforms application running on IIS6. When the user clicks on a certain link, my app makes a REST call to a webservice hosted in the cloud. This call, made by the app running on IIS, fails. We get a WebException, with the message "no response from server".
However, if I try to connect to the same web service, from the same machine, with the same credentials, using SoapUI, the call succeeds. So I guess this means that I can rule out firewall issues, credential issues, and availability of the service.
The code has been tested on numerous other machines (dev, test, staging...), and it worked successfully, so the code itself should not be an issue. I think it's an environmental issue (a setting on web.config or machine.config which prevents outgoing requests).
Any idea as to what that could be?
Thanks!
The reason our REST calls were failing was that we were missing an SSL certificate.
We were trying to make the REST call using HTTPS. The REST service provider's SSL certificate was signed by a well-known CA. However, our server apparently had a hardened build, and the CA's certificate was missing from the certificate repository. Hence, the provider's SSL certificate was considered unsafe.
Sadly, the .Net framework exception had no useful information about this.
We installed the CA's certificate and the issue was fixed.
My application uses ASIHttpRequest for my server communication. I have a requirement that I should block HTTP protocol cos I dont wont to transmit that data over insecure link. So only SSL over HTTPS will be allowed. Also even thought the link is HTTPS I need to ensure that I am calling to the correct certificate. So I need a server certificate validation in my code. Please guide me how to do this.
I researched on this. I found few possible answers. One is to create a client certificate and do the validation. Also there are ways to "Client certificates support" under ASIHttpRequest documentation. So how to achieve my requirements above. Also integration of CFNetwork code into ASIHttpRequest will also do.
Regards,
Dilshan
You can get a validated certificate from an certificate authority like StartSSL or Thawte. Then iOS checks if the certificate is trusted by an authority. iOS comes with different trusted authorites.
If the server certificate is not validated by an authority the connection is rejected.
You don't need to do something special in code. Only use a https connection.