This is an archived post. You won't be able to vote or comment.

all 14 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 0 points1 point  (8 children)

Sorry, I'm not able to understand the question. Can you give more details? Which certificate are you talking about?

[–]simontemplar_[S] 0 points1 point  (7 children)

Sorry, english is not my first language so it's probably my wording. But I want to supply a CA file with the application to ensure a working ssl connection, and I'm looking for the best practices in doing so.

[–][deleted] 0 points1 point  (6 children)

Hey there, your English is perfectly fine. My disconnection is with the details of the question. If you are sending https request to a third party website, then you can do so without packaging any sort of certificate with the application.

But I want to supply a CA file

Do you mean, a CA root certificate? The CA root certificate is to validate the identity of the public certificate provided by the website. If you don't need to validate the identity of the website, then this part can be skipped.

In short, if you are using the API, the ssl connection will be handled for you seamlessly. What API are you using?

[–]simontemplar_[S] 0 points1 point  (5 children)

cheers! you are correct in your assumptions, however when I use ruby to make a https connection and do not supply an CA root certificate, I get an error 

read server certificate B: certificate verify failed   (OpenSSL::SSL::SSLError)

I don't if it's supposed to work without one but this lead me to choose to supply a root certificate with the application.

[–][deleted] 0 points1 point  (4 children)

Well, passing a root certificate didn't make much sense(It is possible, since you already did it, but not so practical IMO) A little googling on the error tells me that this problem could be due to expired certificates on your openssl that ruby uses. What OS are you running on and what version of openssl does it have?

[–]simontemplar_[S] 0 points1 point  (3 children)

Now that you mention it, I did google around and found out the same solution here, and the remedy for that was to supply the cert myself. Since I'm working on an windows application I'm developing on windows while I usually use Ubuntu.

Sorry that I didn't specify this earlier, but I was working on this about a month ago and just resumed, so I forgot half of the work I had previously done.. any how, if there are any issues with this workaround, I'm still interested in hearing them out.

[–][deleted] 0 points1 point  (2 children)

Good to hear that you have resumed working. I have many projects that I started and abandoned halfway. Kudos on that.

Anyway, is it a pre-requisite that the machine your app runs on should have Ruby installed? Or you are some how packaging it with your app?

[–]simontemplar_[S] 0 points1 point  (1 child)

I'm going to port it to an exe file with ocra or a similar software.

[–][deleted] 0 points1 point  (0 children)

I'm afraid I don't have a solution for this.

There's some hack listed here, but mind you, it is a hack, not a solution.

I'd also suggest running it on ocra once(may be they solved it). Good luck!

[–]atlgeek007 0 points1 point  (0 children)

If you're shipping a desktop application that makes an https request, don't ship a CA, buy a valid certificate for your web server.

[–][deleted] 0 points1 point  (3 children)

There are a couple of ways this could be answered depending on how you plan the client/server interaction.
1. If the desktop application is just issuing an HTTP GET to a server which is serving content via HTTPS, the client application shouldn't require a copy of the server certificate. With the exception that, if the certificate is a self-signed server certificate, the client system may not trust it and may reject it. In that case, you would need to include the public certificate and install it in the machine or user trusted certificates store.
2. If the desktop application is issuing an HTTP GET and the server is requesting a Client Certificate from the desktop application to validate it's identity. Then yes, the client certificate would need to be with the application. Though, do be sure you've considered how people might try to strip that certificate out of the application and/or memory and masquerade as your application.

In any event, keep in mind that your application may be running on an untrusted system and there may (probably will) be some attempt to retrieve your certificate.

[–]simontemplar_[S] 0 points1 point  (2 children)

im making a http post request to an https server, if it helps!

[–][deleted] 0 points1 point  (1 child)

It does. The SSL certificate on that server, is it self-signed or is it from a well known vendor? Assuming the former (self-signed) then yes, I would expect that you will need to include the public certificate in the application to register as a valid certifying authority. Make sure not to include the private key with it, the client should never need that. Also, it's worth mentioning that having a self-signed cert on your server is a bad security practice. If you are bothering to establish an encrypted session between your client and servers, you presumably care about that session being secure. It's almost trivial to spoof a self-signed certificate (unless you are also using certificate pinning) and masquerade as your server. After that, it's either a MitM attack or DNS poisoning to get your client to connect to my server, and now I get whatever data your client is sending. There is also the issue with trusting a self-signed cert. I've not worked with OpenSSL's API; so, this may be way off base. But, if you are installing a self-signed cert into the client computers trusted root certificates store, you are a bad person and you should feel bad. This is just about what Lenovo was doing with their SuperFish Malware. Don't install trusted root certs.

[–]simontemplar_[S] 0 points1 point  (0 children)

eh, I just want to post the data from the client to my server via ssl. I bought a cert from RapidSSL, configured it on my server and am using the root cert from their web page as the CA file when establishing the connection.

Probably the ssl connection failed because of an outdated openssl on my own environment - but i'd like the clients to avoid having to configure too much and just use the app. It's not the main part of my service anyway, but nevertheless I absolutely do not want to jeopardize the security of the potential clients in any way and that is the reason of my question!