I configured my web server to use HTTPS instead of HTTP. I used openssl to generate an X509 certificate and private key. When I connect using FireFox it warns me of an "Untrusted Connection" and allows me to add an exception to continue. When I connect using my iPhone's Safari web browser it does the same thing. I hit accept to the security prompt and it works fine.
I add the web page to my home screen so that I can run it as a web-app. When I open the web-app I see the following prompt:
Cannot Open MyWebApp MyWebApp could not be opened. The error was: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be mydomainnamehere.com" which could put your confidential information at risk.:". CLOSE or RETRY
If I hit close the web-app closes. If I hit retry I see the prompt again. There is no option to trust the site and continue. How can I get this to work? I'd like to use HTTPS to encrypt the sensitive data. It is a private site I use to access files remotely. It is not intended for public use.
There are two solution. 1) use a trusted certificate and 2) is to add the untrusted certificate to your iPad. This way your iPad will consider it as trusted.
Download the certificate (with Chrome for example), put the cert as an attachment on an email. Open this email on your iPad and click the attachment/cert and install it. Thats it!
Related
I want to capture traffic from a host using HTTP, but I do not see a response coming back. If I close fiddler, my application runs as normal.
I see '-' in the Result section, where it should have been an HTTP response code. If I manually execute the request using Composer, I get a 200 response. Fiddler is able to capture traffic from all other web applications without issue.
I have installed Fiddler certificate. Troubleshooting Mode returns 200. The host does not use HTTPS, but I have enabled Capture HTTPS Connects anyways.
I am using Fiddler v5.0.20182
Some applications performs certificate pinning. Also web applications can perform certificate pinning e.g. via HTTP Public Key Pinning (HPKP). If you have ever used the web application in your browser without Fiddler, the web app public key has been downloaded and cached in the web-browser.
Afterwards the Fiddler root certificate is no longer accepted for that site/app even it it has been installed correctly. You should be able to identify such problematic connections in Fiddler if you only see a CONNECT request but no subsequent requests to the same domain.
To delete the HPKP in your web browser you should use a fresh profile or clear the complete browser cache. Afterwards only use it with activated Fiddler proxy and SSL decryption. As far as I know Fiddler will remove HPKP data from responses so that the web application should also work with Fiddler in between.
I think you should be able to uncheck the options for https, uncheck the boxes which appear checked here? Or you might be able to skip decryption by adding the host in the box below where it says Skip decryption for the following hosts
I have an IPAD hybrid app for our application. It tries to hit our https server during login process. I would like to use JMeter to record this simple flow.
I am running JMeter proxy server in my local machine. I updated IPAD proxy details so that any activity will go via JMeter proxy - so that i can record.
I am able to record in JMeter the activities i do in Safari browser of the IPAD. But if i access my app in IPAD JMeter sends it as http request & records javax.net.ssl.sslhandshakeexception error . In the browser i can accept the SSL certificate. Not sure how it can be done in IPad.
I even tried to export the certificate from my browser , sent it to my email , accessed it in IPAD and installed. Still it does not work. Looks like it is a temporary certificate issued by JMeter.
If it is not https, then JMeter will be able to record the app activities.
Anyone has faced similar situation? how did you rsolve this?
Use jmeter 2.11 with Java 7 , it creates a crt file in jmeter/bin folder.
It is the CA that creates the certificates.
Send this file by mail and open it in Ipad and install it.
In test script recorder, put in the dedicated field HTTPS domains , the domains you are trying to hit, see:
http://jmeter.apache.org/usermanual/component_reference.html#HTTP(S)_Test_Script_Recorder
Restart Ipad and jmeter test script recorder and try again.
I'm developing a Facebook canvas app. I don't have a SSL certificate so I've been using a plain http:// URL + sandbox mode for the creation and testing process.
Suddenly I realized my Facebook account turned to Secure Browsing mode and I'm unable to turn it off via Account Settings >> Security >> Secure Browsing. There is no "edit" button. None of my co-workers experienced the same problem. Their Secure Browsing option is off, editable and the app is visible. Anyone familiar with the same issue?
If you're testing your app you shouldn't really need to disable HTTPS, nor is that really a representative test if you're using HTTP but almost all your users will be using HTTPS (as is the case with Facebook)
It'd be better to get a free cert from startssl.com or similar free CAs, use OpenSSL to generate an in-house CA or self-signed certs, or accept the certificate warnings from the default cert that ships in your webserver, if any, than to disable the secure browsing option on your Facebook account for this purpose;
As for the option itself in the Facebook setting, that's somewhat off topic for here, and I'm unsure what the exact status is but I believe the option to browse Facebook insecurely is being phased out
Another option for testing is to run a test server with a separate proxy to your production environment (e.g nginx) for test purposes and log all the traffic to that server for debugging
I want to support HTTPS in my web application. Since the certificates from Verisign are costly, I decided to use openssl for generating certificate. Here is the link I referred https://community.jboss.org/wiki/JBossAS7ConfiguringSSLOnJBossWeb
When I tried to access the application in browser I got the error "The site's security certificate is not trusted". Here is the screenshot,
Please let me know how I can solve this error? Is it possible to use openssl in production?
The issue is that your self signed certificate is not 'trusted' by the browser. It does not recognise it as signed by one of the certificate authorities it trust.
You have two options - tell the browser it can trust the certificate or tell the browser that it can trust the entity which issued it (meaning that if you use the same certificate to sign other certificates; that those also get trusted).
See http://googlechrometutorial.com/google-chrome-advanced-settings/Google-chrome-ssl-settings.html for more information. Once you are in 'Manage certificates' you can import your own ones.
Every browser, every users, will have to go through those steps. So that is practical logistical limit on how much 'production' you can run with this.
Do check out the various 'free' certificates; they are very low cost.
MAC SOLUTION: The best way that I've found for manually trusting specific site certificates is to use Safari. See, when you manually trust a certificate in Safari, it requires you to enter your OS X account password. Safari does this because it stores the certificate details in Keychain Access, a system application that manages all vital data you store on your computer.
This is significant because Chrome also communicates with Keychain Access. Once the program has a record of the certificate being trusted by Safari, Chrome will also trust the certificate. You may have to restart the Chrome browser after activating the certificate in Safari to get this to work correctly.
Happy browsing!
Just installed a SSL certificate and when I try to access to my fmbl app through https connection I can't see the application, the page is blank and I'm losing lots of users and the rate of my app is going to the deep down.
However, if I access to the app through http (non ssl) I can see without problems.
Thanks!
Have you solved?
'Cause i think the problem is arise by Chrome.
If your application has a self-signed SSL cert and you open it on chrome you'll receive a 501 error message. Chrome should show an alert message whit a 'continue' button to enter the app, but this doesn't happen when chrome call an https resource from an iframe.
Is it a self-signed certificate? For some reason, FB doesn't support those, and you'll need a certificate which is signed by a CA.