How to provide client certificate to swagger inspector - swagger

https://inspector.swagger.io/builder
I have an api hosted locally and needs a client certificate for authentication. I am able to access the API from Fiddler and Postman. For both these I could add the client certificate needed to authenticate with the api. I am not sure how I can provide this client certificate to swagger inspector. Any idea?
I see following error message:
The request has been terminated.
Possible reasons for the error:
Network error: the host is unreachable
Certificate problem: https is specified, but the service is using a self-signed, expired, or otherwise problematic certificate
CORS error: the requested service does not allow requests from other domains. Please try adding the Swagger Inspector Extension in chrome, since it can resolve this issue.
The Swagger Inspector Extension may be disabled. Please try enabling it by going to: chrome://extensions.

Related

Getting client certificates in Azure Web App using OWIN

If you are using Azure Web Apps to host your web application (let it be an ASP.NET MVC web app) you do not have the possibility to set up the IIS behind the Azure Web App to accept client certificates through an HTTPS connection. My application has some Web API endpoints that would be only accessible if the user has the correct certificate with the allowed thumbprint. However, I have other endpoints as well (and of course the website) that would be accessible without a client certificate. So in my case the only way is to accept client certificates.
I am not sure about that, but if I know well I can still get the client certificate by using OWIN while the SSL Settings in IIS is set to Ignore. If I use OWIN and go through the OWIN environment I can see a key called ssl.LoadClientCertAsync.
I am implementing endpoints that a third-party service will call, so I have no control over the content of the request. I know that there is a ssl.ClientCertificate key, with type X509Certificate, but in my case this key doesn't exist.
I have found some C# solution about using this ssl.LoadClientCertAsync key to get the certificate like in the CheckClientCertificate method of Katana or the solution in this C# Corner article. In every solution that I can find in the net, the author gets this type as a Func<Task> and then calls this task, by for example using the await operator.
var certLoader = context.Get<Func<Task>>("ssl.LoadClientCertAsync");
if (certLoader != null)
{
await certLoader();
...
After that they retrieves the certificate by using the ssl.ClientCertificate key.
var asyncCert = context.Get<X509Certificate>("ssl.ClientCertificate");
In this example, my asyncCert variable is always null. There weren't any ssl.ClientCertificate key in the OWIN context. I have tried to use the X509Certificate2 instead of X509Certificate, but I still got null.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN? If yes, why can't I get the certificate using the ssl.LoadClientCertAsync key?
According to your description, I have created my ASP.NET MVC web application for working with client certificate in OWIN to check this issue. The following code could work on my local side:
if (Request.GetOwinContext().Environment.Keys.Contains(_owinClientCertKey))
{
X509Certificate2 clientCert = Request.GetOwinContext().Get<X509Certificate2>(_owinClientCertKey);
return Json(new { Thumbprint = clientCert.Thumbprint, Issuer = clientCert.Issuer }, JsonRequestBehavior.AllowGet);
}
else
return Content("There's no client certificate attached to the request.");
For SSL Settings set to Accept, I could select a certificate or cancel the popup window for selecting a certificate.
AFAIK, we could enable the client certificate authentication by setting clientCertEnabled to true and this setting is equivalent to SSL Settings Require option in IIS.
As How To Configure TLS Mutual Authentication for Web App states about accessing the Client Certificate From Your Web App:
If you are using ASP.NET and configure your app to use client certificate authentication, the certificate will be available through the HttpRequest.ClientCertificate property. For other application stacks, the client cert will be available in your app through a base64 encoded value in the X-ARR-ClientCert request header.
My question is is it possible to get the client certificate in an Azure Web Site while the default SSL setting is Ignore by using OWIN?
AFAIK, the current SSL Settings for client certificates only supports Ignore and Require for now. When hosting your web application on azure web app, for the client users who access your azure web app with client certificate authentication, they could specify the certificate to a base64 encoded value as your custom request header when sending request to your azure web app, then your could try to retrieve the header and verify the cert if the cert custom request header exists. Details, you could follow this sample.
Additionally, you could use Azure VM or Azure Cloud Service instead of azure web app, at this point you could fully control the SSL Settings in IIS.

Connect to web API with certificate

I want to connect to third party API from my web application. They have given me a certificate file(.p12) and two .pem files.One with certificate information and one with private key.
The issue is when i try to connect to the API, it gives me an error saying 'Signature and/or certificate invalid'. This is how I added the certificate to my http request.
HttpWebRequest request = new HttpWebRequest();
X509Certificate cert = new X509Certificate("<location>","<password>");
request.ClientCertificates.Add(cert);
I want to know what is missing in here. And is there any other way to add certificate to web request.
Thanks in advance

API only works when fiddler is running

I've written a utility app for loading data into shopify through the rest API.
Having a strange error where the api only works when I'm running Fiddler.
Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
When Fiddler is running web access is through a proxy on 127.0.01:8888.
I'm not advanced enough on SSL to figure this one out. Do you need a self signed certificate to connect to an SSL API.
I found a few posts suggesting setting ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls but that didn't fix it!
>> Do you need a self-signed certificate to connect to an SSL API.
We faced similar issue with our application. If API has any certificate errors (In our case, we are using self-signed certificate), Browser will not allow you to interact with API.
Solution : Install your root Certificate, so that browser will start honoring your self-signed certificate.
>> Having a strange error where the api only works when I'm running Fiddler. Any idea what's going on? I'm sure it's a configuration issue rather than a code issue.
Whenever you enable HTTPs traffic decryption in fiddler (see below image for enabling this setting in fiddler), below things will happen.
Fiddler will automatically install its root certificate
"DO_NOT_TRUST_FiddlerRoot" to Browser's CA list.
Fiddler will use your API's self-signed certificate to decrypt HTTP traffic.
Again fiddler will encrypt same HTTP traffic using fiddler signed
certificate, i.e, for all your API calls will have fiddler signed
certificate
As fiddler signed certificates are trusted by user browser (due to step#a), you will not see any certificate errors.
Hope this information helps you!
Turns out I was setting SSL type to SSL3.
i.e. I had this code
ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
and shopify doesn't use SSL3 any more.
Turns out it was nothing to do with installing certificates.

Client certificate authentication in spring security

I need to configure 'Client certificate authentication' in Glassfish 3. I tried many scenarios but couldn't configure. The requirement is - the user who imported the .cer file can alone access the application.
So we need to configure in such a way that we need to validate the .cer file that is uploaded into the browser (through which the client is trying to access the application).
Once the certificate file is validated, then we need to show the login screen (form-login). Further we validate the username/password of the user.
I tried several configuratiosn (in applicationCOntext-security.xml file) but in vain.
Can anyone tell how to configure spring security so that both the client certicate authentication (done first) and then the form-login (done next)?
Spring does not do SSL its Glassfish that is setting up the SSL connection. By the time the request has arrived in Spring security all spring security knows is that the request came in over a secure channel but does not know how the secure channel was configured.
To setup client certificate authentication you need to configure glassfish to require a client side certificate to setup the SSL connection and to refuse the connection if the client does not provide a valid certificate.
This way you will get the behavior you want if the client does not present a valid certificate to glassfish glassfish never routes the call to spring.
I do know how to setup client side ssl authentication with glass fish so I can't help you with exact details, but google should know the answer.

Calling HTTPS Web Service from iOS Application

I can call the HTTP web service but when the same service is HTTPS it throws error that it cannot be called. I am invoking it from iOS application. Do I need to pass some additional header fields related to HTTPS.
UPDATE (SOLUTION):
Seems like it just needed the HOST header parameter.
if you are not passing any authorization parameters in any way to the service and it is just a url: "https://www.xxxxxx.com/dev/tools/search=?" the issue is from server side authentication certificate. they need to allow the request to be taken in from server's end by configuring server authentication certificate.

Resources