Develop Reference

Connecting to MQTT with secure websocket in Nextjs

I use this code to connect to my own mqtt broker with socket from Nextjs and it works fine
import mqtt, { MqttClient } from "mqtt";
//...
mqtt.connect("ws://IPADDRESS:1884");
//....
Now, I want to change it to secure websocket (wss) and I have CRT file, but don't know how to add it.
import mqtt, { MqttClient } from "mqtt";
//...
mqtt.connect("wss://IPADDRESS:1884");
//....

You can use the same certificate that you used for the website, using it for the web socket too. For example, if the website URL is https://test.com you should connect to test.com with wss (wss://test.com:1884) and use the same SSL certificate in your brocker. For the Mosquitto the config file should be like below.
listener 1883
allow_anonymous true
listener 1884
protocol websockets
socket_domain ipv4
cafile C:\Program Files\mosquitto\cert\ca.crt
keyfile C:\Program Files\mosquitto\cert\server.key
certfile C:\Program Files\mosquitto\cert\server.crt
tls_version tlsv1.2
The port 1883 use for Mqtt connection without TLS, for web socket use port 1884 and it needs SSL certificate.
The certificate files should be on the server, they are:
ca.crt is the CA file of your SSL certificate
server.key is the private key
server.crt is the CRT file of your SSL certificate
When you connect to the web socket from your website because it is HTTPS and you connect to the same URL for the web socket, it uses the same SSL certificate and doesn't need to import it to the browser.

As hashed out in the comments.
You can not load unsecure content from a page loaded over HTTPS. This means if the page loads over https://, then the WebSocket Connection must be wss://
The browser will not ask you to approve a self signed or untrusted certificate when making WebSocket connections like it does when trying to navigate to HTTPS site with a certificate not signed by a trusted CA.
You have 2 choices
You manually import your self signed certificate into the browsers trust store. This is only a valid option for dev/test as it would need be done to ALL browsers that ever access the site.
You get a certificate from a trusted CA (e.g. LetsEncrypt) and use for both the HTTP server and the Broker (or you get get something like Nginx to proxy for the broker and to TLS termination for both)

For Client Certificate Authentication, will IIS validate certificate when accept vs require is selected for Client certificates?

I was hoping to get clarification on a previously answered question here.
I interpret the statement "If you configured IIS to demand..." to say, IIS will not verify certificate validity unless if you've selected "accept" for client certificates.
Is this correct?

Yes. If web site is not configured to accept or require client certificates, they are ignored (if still provided by client) and are not validated. If website is configured to Accept or Require client certificate, then it is validated according to validation rules when presented.

Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one. Require only continues with connections that have a client certificate.so to validate certificate use Require.
Refer to the below link for how to configure client certificate authentication.
https://learn.microsoft.com/en-us/archive/blogs/asiatech/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7

How to import client provided .Cer certificate file in salesforce?

I am using Rest Api to make calls to the https domain and salesforce is giving me
System.CalloutException: java.security.cert.CertificateException: No name matching certificate found
So I asked for certificate from Cleint. Client provided us with .CER certificate files. How will i use them? I converted them to JKS using Java KeyTool but all in vain.

Certificate import in salesforce to be used with named credentials/ callouts , only supports .jks file extensions.You need to ask your certificate provider to give one in .jks.

You can import certificate in Salesforce Panel.
Setup->Security Controls->Certificate and Key Management

How to test client certificate

I'm building a web service to allow salesforce to call to it, the two way SSL is used for security, and salesforce has provided its client certificate: sfdc-client.cert.
In order to test whether salesforce client certificate work or not, I have setup a very simple web on MAC apache and enable SSL and client authentication on ssl config file /etc/apache2/extra/httpd-ssl.conf as below (use self-signed):
SSLCertificateFile "/private/etc/apache2/ssl/server.crt"
SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key"
SSLCACertificateFile "/private/etc/apache2/ssl/sfdc-client.cert"
SSLVerifyClient require
SSLVerifyDepth 10
The first browsing by Chrome, I got "SSL Connection Error", I supposed it's correct in this case.
Then, I have tried to import sfdc-client.cert to key chain access, but it does not work at all because it just supports p12/pfx format.
I also tried to use CURL:
curl https://test.com --cert-type der --cert sfdc-client.cert
but got the error:
curl: (58) unable to use client certificate (no key found or wrong pass phrase?)
I'm totally newbie on this stuff, does anyone know how to test client certificate to make sure it works as above?

First you need to have both the client's certificate and certificate private key to be able to test 2-way SSL authentication.
To test with web browser, follow instructions here: Is there a way to test 2 way ssl through browser?

setup SSL on AppEngine... Assigned URLs "empty"

I have setup Custom Domain "https://developers.google.com/appengine/docs/domain"
I have uploaded "An SSL certificate and private key" (to create those i am using "XCA" on Ubuntu, available in the Ubuntu Software Center" )
Result ..."Assign all matching URLs" or "Add" Button is inactive.
What are the details to follow setting up SSL for AppEgine Custom Domain?
HELP: following the link on "http://support.google.com/a/bin/answer.py?hl=en&answer=2644386" refers to a login see: (moma single sign on) ???->
https://login.corp.google.com/saml_idp?KeyID=w1n&SAMLRequest=fVJNT%2BMwEL0j7X%2BwfM8nYoWsJqgLQluJhYgGDtwcZ1KctT3B47Tw70lTEN3DcvTz8%2FsYz%2BLi1Rq2BU8aXcGzOOUMnMJWu03BH%2Brr6JxflD9OFiStGcRyDM%2FuHl5GoMCml47EfFHw0TuBkjQJJy2QCEqsl39uRB6nYvAYUKHhbHVV8N4hdoPq26a1%2FeYvmB6taXXTY9%2FIRjfN4IbOSsXZ42esfB9rRTTCylGQLkxQmuVR%2BjPKz%2BvsVJzm4ix94qz6cPql3aHBd7GaA4nE77quoupuXc8CW92Cv53YBd8gbgzECu3evpJEejvBnTQEnC2JwIcp4CU6Gi34NfitVvBwf1Pw5xAGEkmy2%2B3iL5lEJscHRbycJyvmcv5opN9Hl5%2FWvPzSWyRHUuXHj%2B2LrK4qNFq9saUxuLv0IMPUIvhxKnGN3srwf7cszmZEt1E3U8XoaAClOw0tZ0l5cP13NaaFeQc%3D&RelayState=https%3A%2F%2Fwww.google.com%2Fa%2Fgoogle.com%2FServiceLogin%3Fservice%3Dah%26passive%3Dtrue%26continue%3Dhttps%253A%252F%252Fappengine.google.com%252F_ah%252Fconflogin%253Fcontinue%253Dhttps%253A%252F%252Fdevsite.googleplex.com%252Fappengine%252Fdocs%252Fssl%26ltmpl%3Dga%26shdf%3DCioLEgZhaG5hbWUaHkdvb2dsZSBEZXZTaXRlIENvbnRlbnQgU3RhZ2luZwwSAmFoIhRMUzrDPeZIM0WftD9x6Ag2ike0YCgBMhQmSRWl793zR9on0qxjQb8iedMy3Q

This is the correct documentation link:
https://developers.google.com/appengine/docs/ssl

when adding an app engine app to use SSL over your custom domain. Create the PEM encoded X.509 certificate and Unencrypted PEM encoded RSA private key with openssl:
openssl genrsa -out rsaprivkey.pem 1024
openssl req -new -x509 -key rsaprivkey.pem -out dsacert.pem
when open ssl asks you questions for your app's name, make sure to include the entire url as in your answer, www.abc.com to secure https://www.abc.com
-Ben

It's simple the domain i am using should use CN -> www.abc.com and not just abc.com.
"All subject names on the host certificate should match or be subdomains of the domains associated with the account in the Google Apps Control Panel."
Thank's for the documentation link :-)

Under Google App Admin console -> select App Engine apps -> select app -> Add New URL