Is it possible to read the server TLS certificate in the BrowserComponennt (specifically the public key)?
No. You can probably use native interfaces to do that...
But I'm assuming that what you're trying to do is verify the server to protect against some attacks specifically through certificate pinning. Is that correct?
If so check out the certificate pinning section in the developer guide here; https://www.codenameone.com/manual/security.html
Related
I have an OPC UA server based on open62541 that connects correctly with the client UAExpert of UnifiedAutomotion. I try to add a server certificate but the UAExpert cannot find it, even if I add it to the trust list from UAExpert>Certificate manager.
Is loaded correctly?
UA_Server *server = UA_Server_new();
UA_ServerConfig *config = UA_Server_getConfig(server);
config->serverCertificate = loadCertificate(); // Returns UA_ByteString of the file certificate.der
if(config->serverCertificate.length > 0)
UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_SERVER, "Certificate loaded");
UA_ServerConfig_setDefault(config);
I don't know if the method UA_ServerConfig_setDefault is enough for loading certificate, because the examples I have seen uses UA_ServerConfig_setDefaultWithSecurityPolicies for setting the server configuration. I tried to test the example of server_encrypted.c but when I compile it throws exceptions of libraries and glibc versions.
Thanks in advance.
Welcome to stackoverflow.
I have no experience with open6254, but the client connects using an endpoint from the list of endpoints previously read from the server. The chosen endpoint should contain a certificate and when calling createession the server resends the certificate, if both certificates are not equal, the client must cancel the process, as required by the OPC UA specifications.
Maybe one of the two certificates is not being sent by the server or they are not equals.
I think you better ask here https://groups.google.com/forum/#!forum/open62541
I am attempting to create a C# application that connects to a PostgreSQL database using SSL with client certificate and key files similar in functionality to the PGAdmin UI, but the documentation for this in NPGSQL is lacking and I cannot find any examples. The documentation states that it "works just like on .NET's SSLStream", but I am not seeing any correlation between the two. Has anyone created a connection using this method that can possibly provide some help?
I am facing the same situation. Documentation certainly needs to describe usage explicitly on how to supply cert, key and CA files if needed to the connection string or connection builder, and how the ProvideClientCertificatesCallback can actually supply back cert, key and CA files.
Nov 2018: I got below sample code to work for self-signed certs:
var connection = new NpgsqlConnection(connectionStringBuilder.ConnectionString);
connection.ProvideClientCertificatesCallback += clientCerts => this.GetMyClientCertificates(clientCerts);
private void GetMyClientCertificates(X509CertificateCollection clientCerts)
{
clientCerts.Add(<supply an instance of X509Certificate2 here>);
}
You need to have SSL=true in your connection stream, and then provide a ProvideClientCertificatesCallback on your NpgsqlConnection before opening it (like SSLStream).
Good morning,
I was going through the Postgresql configuration files, and recently noticed that there is an ssl option. I was wondering when this is required.
Say if you have an app server and a database server - not running inside a private network. If a user tries to log in, if SSL is not enabled will the app server transmit the user's password in cleartext to the database when looking up if it is a valid username/password?
What is standard practice here? Should I be setting up my DB to use SSL?
If that is the case, is there any difference in the connection settings in config/database.yml in my Rails app?
Thanks!
Like for other protocols, using SSL/TLS for PostgreSQL allows you to secure the connection between the client and the server. Whether you need it depends on your network environment.
Without SSL/TLS the traffic between the client and the server will be visible by an eavesdropper: all the queries and responses, and possibly the password depending on how you've configured your pg_hba.conf (whether the client is using md5 or a plaintext password).
As far as I'm aware, it's the server that requests MD5 or plaintext password authentication, so an active Man-In-The-Middle attacker could certainly downgrade that and get your password anyway, when not using SSL/TLS.
A well-configured SSL/TLS connection should allow you to prevent eavesdropping and MITM attacks, against both passwords and data.
You can require SSL to be used on the server side using sslhost in pg_hba.conf, but that's only part of the problem. Ultimately, just like for web servers, it's up to the client to verify that SSL is used at all, and that it's used with the right server.
Table 31-1 in the libpq documentation summarises the levels of protection you get.
Essentially:
if you think you have a reason to use SSL, disable, allow and prefer are useless (don't take "No" or "Maybe" if you want security).
require is barely useful, since it doesn't verify the identity of the remote server at all.
verify-ca doesn't verify the host name, which makes it vulnerable to MITM attacks.
The one you'll want if security matters to you is verify-full.
These SSL mode names are set by libpq. Other clients might not use the same (e.g. pure Ruby implementation or JDBC).
As far as I can see, ruby-pg relies on libpq. Unfortunately, it only lists "disable|allow|prefer|require" for its sslmode. Perhaps verify-full might work too if it's passed directly. However, there would also need a way to configure the CA certificates.
Considering data other than the password. If you use or not i pretty much a security posture issue. How safe do you need your system to be? If the connection is just over your private network then you anyone on that network can listien in. If that is acceptable that dont use SSL, I not enable it. If the connection is ove r internet SSL should be enable.
As #Wooble says. You should never send the password as cleartext in the first place you have a problem. The stanard solution in this case is to store a hash in the database and only send the hash for validation.
Here is som link about the rails part
I am using the variables to configure the same "connection string" between two applications, since the two do access the same database of users.
Can I set the same SQL Server (Nano 10GB) in more than one application to use transformation for web.config?
This is not currently possible since there is no way to have the connectionsstring injected into other applications than the one that has the add-on provisioned. Feel free to add this as a feedback suggestion.
It is possible, but requires some legwork. Basically you need to have one app with a known location (URL is fine) that the others can ask for the Connection String. The hard part is doing it securely enough. I'm partway there...
I've rigged up a system where you have a password that both of your Apps know in AppSettings, and then have the Secondary Website send a Public Key to the Primary Website with the password. Who then encodes the connection string, and sends it back.
The password CAN be injected by Appharbor when it does a deploy. And the connection string is also setup on the deploy. Ideally you'd use SSL but I don't have that setup and it makes life hard when working locally.
Proof Of Concept: https://bitbucket.org/Rangoric/database-coordination/overview
It does work, just start both of the website projects in there, and go to http://localhost:4002/Database and you will see what is in the connection String of the Primary website.
EDIT: I just realized that since you can piggyback the SSL Cert of appharbor with the free subdomain they give you, you can use that URL for added security if you don't have your own SSL cert.
This may be a stupid question but I just can't find the answer.
What I would like to do:
I have a WCF service hosted by IIS. It is working perfectly, I can access the wsdl, I have a self-signed certificate for the server etc. I would like to call this service from a WPF client.
The problem is, since I have a self-signed certificate, I get the following exception when calling the service:
Could not establish trust relationship for the SSL/TLS secure channel with authority 'localhost'.
If I access the site (or the service) from a browser, it is no problem, because the browser warns me about the certificate, and gives me the choice of viewing the page anyway. But the WPF client just throws an exception.
I don't want to completely turn off the authentication process, I simply would like to give the users the option of ignoring this warning (as browsers do).
Can anyone provide some code for this? If you ran into a good, detailed tutorial about this, it would be awesome too. (See, my problem with the tutorials I've found is the lack of details)
Here's the minimum amount of code you need to make WCF client accept an arbitrary certificate. This is not secure. Use for testing only. Don't blame me if this code goes berserk and eats your little kitten.
ServicePointManager.ServerCertificateValidationCallback +=
new System.Net.Security.RemoteCertificateValidationCallback(EasyCertCheck);
The call back:
bool EasyCertCheck(object sender, X509Certificate cert,
X509Chain chain, System.Net.Security.SslPolicyErrors error)
{
return true;
}
Code shamelessly lifted from the least helpful answer to Is it possible to force the WCF test client to accept a self-signed certificate?
You can register the certificate yourself. If load the certificate in the client as well, and then register the it as trusted you shouldn't get that warning.
You need to find a X509CertificateCollection and add the certificate to that collection. I had this kind of problem with a SmtpClient running over Ssl.
By hooking the System.Net.ServicePointManager.ServerCertificateValidationCallback or implementing System.Net.ICertificatePolicy and identify my own installed certificate as valid/trusted (attached to the System.Net.ServicePointManager.CertificatePolicy).
This is not WCF stuff per se, but from what I could tell, this should translate to WCF as well. It all depends what WCF is uses under the hood.