I am thinking of writing an Apple Push Notification server using Dart. Does Dart support client side SSL/TLS certificates?
Yes! Dart VM now supports SSL/TLS, and HTTPS.
See http://code.google.com/p/dart/issues/detail?id=3950 and http://code.google.com/p/dart/issues/detail?id=3593 which are now closed. :)
Dart supports SSL/TLS client connections using SecureSocket. It also supports secure server sockets using SecureServerSocket to (use this if you need to listen on a secure port on the VM).
Note that the ordinary HttpClient will automatically handle HTTPS for your browser connections so no extra code is needed in these cases.
Related
I am trying to enable http2 protocol on a Azure Web app, MVC application without any luck. The tutorial is simple just activate the 2.0 in Application settings of the portal, Http2 online tests states that the http2 protocol is enabled, no requests is on http2.
Https is enabled, minimum tls version set to 1.2... any ideas on what can go wrong?
It seems that an antivirus on my computer was the root cause for all the requests still being on the http. After i disabled it the requests were, as expected on http2.
I am trying to implement an HTTP server inside an iOS app. I could see similar apps in the app store. But in my case, embedded HTTP server has to communicate with external HTTPS Server. So now,
is the communication secured? Or do I need to implement HTTPS server, instead?
Is it possible to implement an HTTPS server in iOS app?
Will Apple reject this approach?
Thanks in Advance
I'm assuming that you use the internal HTTP server to provide interceped content for a WKWebView. I this case you web view connects to the HTTP server over HTTP and this connection is insecure. But generally this shouldn't be an issue because nobody can intercept the connection. You HTTP server connects to the internet over HTTPS, and this should be done because this connection could be compromised.
Don't be confused about the different protocols. If you call a HTTPS-URL NSURLSession will use HTTPS and use a secured connection. There is no pitfall or issue. You needn't to support HTTPS for the web view to server connection. This will give you not more notable security.
I use a similar setup in my application and it works perfectly.
BTW: In iOS 11 you may use WKURLSchemeHandler to intercept web view requests. This should be much easier than a local HTTP server. The disadvantage is, that you have to define a custom protocol (e.g. xhttp instead of http), and rewrite the URLs in the web content. But this should be much easier to achieve than a local HTTP server.
In production we will use a REST web service secured with SSL (HTTPS) while in development we're not using SSL (HTTP).
To allow HTTP communication we've configured our development hosts with NSTemporaryExceptionAllowsInsecureHTTPLoads set to true.
Is it considered acceptable to ship apps with this setting or is there a better way to do this? We weren't sure if Apple would object to this configuration.
Went with Roman's suggested approach and enabled ATS for debug but disabled it for all release builds. https://stackoverflow.com/a/32704702/47281
Currently the app I'm working on uses NSURLConnection to connect to the server using HTTPS. The requirement is to enforce the prevention of connections using SSL 2.0 and to use only SSL 3.0 or TLS for connections.
What should be done to disable SSL 2.0 support in the app? As far as i see lower level CFNetwork or Secure Transport API provide some control over SSL protocol, but should all the current NSURL* networking code be changed in order to do this?
As far as I know, you cannot achieve this with NSURLConnection.
However, NSURLSession provides APIs to configure a session via a NSULRSessionConfiguration and TLSMaximumSupportedProtocol and TLSMinimumSupportedProtocol.
Switching from NSURLConnection to NSULRSession/NSURLSessionTask should be straight forward.
I have installed Ejabberd in our AWS Server
We are developing an iOS messenger app and we don't want other clients to access our messaging server other than our iOS app.
All the ejabberd services should be accessible only by our iOS app,
To register
To login
To send message and use any other service.
What are all the configurations and settings should I have to do to secure our server?
There is no 100% way to disable other clients from mimicking your own client. You may use different protocol, or one more layer of encryption or special marks that allow your server use to make sure that client is yours. But if someone will have desire to write his own client, he'll use your own client to understand what should be sent on the wire.
XMPP is build on the top of TCP so there is no good way of restricting access to the server socket. If you want to be compliant with XMPP you need to use encryption, otherwise use your own custom protocol (like Skype).