I have HTTP requests in my iOS app to a simple NODE.js app on my server. Since iOS has App Transport Security, I wondered how I could simply add a self-signed SSL certification to my IP address then I wouldn't have to worry about bypassing ATS. It would just look like
https://192.0.2.12/API
Is there a simple way to do it on an Ubuntu server?
Related
I have an OpenID Connect server (OpenIDdict) and an asp.net core webapp in containers behind a TLS termination proxy. In production, all communication between the webapp and the OIDC server can go through the 'outside', based on their public names. However, in development, I'm using self signed certificates that aren't trusted by the containers running the apps, only by my host pc. Because of that, in development, the webapp can redirect the browser to the OIDC server just fine, but when it, for instance, needs to call the token endpoint, it will fail, because the certificate isn't trusted.
A possible solution would be to have the server to server communication go through the internal container network, but I haven't been able to get that to work. Is there a way to make the asp.net core OpenID Connect middleware use a different url (and protocol) for server to server communication?
Another solution would be to install the self signed certificates in the containers, but because that's only needed in development, it seems bad practice to burden the images with that. Is that assessment correct?
I'm hoping I'm missing the most obvious solution. Any ideas?
This is what I ended up doing:
I added a custom domain to the hosts file of my pc, pointing to itself.
Using openssl, I created a rootDevCA.crt and added it to the trusted root on my pc and in all the container images.
With that root certificate, I signed a new certificate for the custom domain and supplied that (including its key) to the proxy.
As long as I keep the key file for the root certificate far away from my source code, there should be no security issues.
My app needs to connect to an internal web server through https.
The server has a self-signed certificate that is valid until next year:
I have installed this certificate in the iOS Simulator and on the device (Certificate.cer):
I am watching the traffic with Charles and the request does not even "leave" my computer.
The problem seems to be due to the SSL Certificate because when I can access the server through the internal url and the port 8080 everything works fine.
I did try the hack with the category allowsAnyHTTPSCertificateForHost:. This did not work in the simulator as well as on the device.
There seems to be official API to do this: How to use NSURLConnection to connect with SSL for an untrusted cert?
However, since this is only my development environment I would prefer not to change my code base for now. Plus I am using a framework to parse my data and I might have to deeply interfere with that framework to get to the API described above.
So my question is, should it not be possible to install the certificate and then use the server as if there was an official SSL certificate.
Email the self-signed certificate to yourself then open it on your iPhone. You will be taken through the steps to install the certificate on your phone.
I'm doing a MITM research paper on iOS and Android focused on WebView / Hybrid Apps. This is my test setup:
Open WIFI Hotspot
iOS and Android Devices on the WIFI
Linux machine with Apache Proxy on the WIFI
ICMP Redirect (DoubleDirect), DNS or Forwarding to pipe all traffic through my Linux machine
For www.example.com I have a valid certificate from a trusted CA
I want to redirect a WebView request to https://www.facebook.com/ to my own site https://www.example.com/ directly on my Apache Proxy, without the user noticing anything in a hybrid App.
If this possible and how can I do that?
I created an MVC web application and embedded an WebSockets chat server. I can deploy this app to an secure endpoint, but how can I get the WebSocketHandler to listen to a wss:// endpoint?
If your web app has a HTTPS binding, WSS should be able of connecting. Check your IIS configuration, enable the port TCP 443 with HTTPS binding and a certificate in the bindings configuration.
Now if you access the web app through HTTPS, you should connect via WSS without problems.
If you access via HTTP, the certificate is self signed, and you didn't accept it in the browser before, it will probably fail. Watch out with that.
I have an application (an installation of Discourse) that I'm trying to deploy. However, the email server that it is pointed at has a self-signed ssl cert for SMTP.
Is there a workaround for this? Or do I need to find a way to send mail using a "valid" SSL cert?
Few things actually care that deeply about a proper cert for SMTP. Mostly user agents.
If the cert is a problem you won't get timeouts, you'll get validation errors. I suspect what's happening is that you're trying to connect over the SMTPS port which isn't listening or exposed by the firewall.
Try using SMTP+STARTTLS. That negotiates TLS over port 25 or 587 instead of trying to connect directly to 465.