I was wondering if any of you know if it is possible in javascript or php to test if a client has a specific client certificate installed in the browser.
The thing is that we have a server certificate installed but to be recognized by the clients, they need 2 client certificates that make them recognize the authority of the issuer of our server certificate. We would like to test the browser for these 2 certificates, if there are not there, we want to propose the client to download them before to enter in https mode...
Anybody can help? Please detail your answer if you know one.
You can do it client side by using javascript to request a known file from a secured (https) source. if the request fails then it means the client refused to accept your certificate (or another network error) at this point you could popup a message to ask the user to install the root certificate with a link to the root certificate.
This must be done from a non secure page. otherwise the user may refuse your certificate and never load the page to start with and therefore your javascript never runs
It can't be done in PHP because php (which is server side) cannot determine whether the client browser has a particular root ca installed
I however would not do this. get a proper certificate instead.
You appear to have insufficient understanding of how SSL works in general. I suggest spending some time understanding how SSL works and how certificates are used.
DC
to learn about sending and receiving http responses with javascript read this page..
http://www.w3schools.com/XML/xml_http.asp
It can be used to send and receive any text data, not just xml. It is real easy to implement but you must be aware of browser version issues.
DC
what about a warning message that will be hidden by a javascript which will be loaded from your https site.
in the warning message you can link the windows update site or wherever the updated root certifcates can be downloaded to their browser.
PHP is a server side language. If you really want to test this then you need to do it with JavaScript and then send back an AJAX request to PHP.
But I think there is another solution to your problem. Normally when a CA change their name etc. they have usually new "Intermediate Certificates" you can use. (If you have an apache httpd server then you can search for "ca bundle" on their website as well.) With this bundle you can send the new CA certificate along with your certificate.
Forcing your users to download and install a homegrown CA certificate is ugly and hateful. Instead, show them the love and pay the $30 US to get an SSL certificate signed by a reputable, already trusted, CA.
Related
I have installed and followed all the step in creating an using Openssl but when I open localhost as https the browser says the connection is not secure or brings out privacy.
Kindly let me know what am doing wrong? How can one make it https and bring the green lock?
You did everything right but the browser doesn't know your certificate.
The browser will warn you everytime he gets a certificate signed by an authority he doesn't know. That DOESN'T mean that you did something wrong.
You can add your certificate as trustworthy (i.e. add an exception for your specific certificate) in the browser and everything will function as it would with a certificate from a trusted certificate authority (e.g. Comodo, RapidSSL, Symantec, etc)
Using this page: Wamp2 and "The ordinal 942 could not be located in the dynamic link library LIBEAY.dll"
I was able to setup SSL on my wamp. It works nice, especially after I provide the server certificate (server.crt) to an user. If not, they will have an "certificate not trusted" error. It is possible to reject those who are not using SSL certificate?
Thank you!
If the client displays a "server certificate is not trusted" message, that's because the server certificate you have installed is not signed by any authority the client knows about. Likely you're using a self-signed certificate. When you add this certificate to the trusted certificate store on your client, the client now trusts this certificate and does not display the warning anymore. It's not that "the client uses a certificate", it's that the client doesn't complain about the server's certificate.
You have no influence over this process at all. The server offers its certificate, and the client trusts it or doesn't. The server doesn't know this. If the client continues its conversation with the server, that pretty much implies that it trusts the offered certificate. Whether that is because the user approved it manually or because the client trusts the certificate otherwise, the server doesn't know.
There's also the concept of client certificates, in which a client identifies itself to the server using a certificate. This is badly supported in todays client software though and probably not what you're looking for.
The website I currently created isn't using a ssl cert. If I decide to buy and use a ssl cert for my website do I need to change any code on my website? My website is written in html, php and it has a mysql backend.
Or can I just purchase a new ssl cert and not change any code?
Thanks
The SSL connection is handled by the web server, the code running on top of it has nothing much to do with it. Your code should continue to run as is if the web server is configured sensibly. If you are hardcoding links using http://... somewhere or are otherwise somehow depending on the presence or absence of HTTP/HTTPS in your code, you may need to change these specific parts.
Currently setting up a backup solution that sends a database dump and some other files from a Wordpress network to a NAS on my LAN, via WebDAV. I have installed PHP WebDAV on my web server and the basic code to get that that to work is:
webdav_connect('http://webdav.example.com/dav', 'davuser', 'davpassword');
webdav_put('/your/nice/thing.txt', $data);
webdav_close();
The issue is, my NAS requires this connection to be done via HTTPS, so in a web browser you'd see a warning which you can ignore, but PHP gives the following warning and the code fails:
Warning: webdav_put() [function.webdav-put]: Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted in /var/www/vhosts/blah/blah/blah.php on line 5
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate? The domain name used for accessing the WebDAV service on my NAS is one provided by Dynamic DNS if that makes a difference.
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate?
I don't know which HTTP Layer PHP WebDAV uses (which extension are you using?), but often it's possible to configure the underlying layer to ignore certificate errors.
If you need certificate verification for security reasons, you should obtain a valid certificate.
Just for completeness as I don't like leaving things un-answered. I've decided to access my WebDAV service via SMEStorage. They provide an API which developers can use for this sort of thing:
http://smestorage.com/?p=static&page=for_developers
I am new to the OpenSSL world and trying to implement SSO on my PHP based application. I have already set up the OpenSSL Library and PHP openssl extension.
Now, what I need to know is, what steps I need to take and where I can find reference of that. My requirement are
1- User will be provided a certificate, and browser will submit that certificate for client authentication using SSL.
2- User will not need to go through the long authentication process of login rather the certificate will handshake with the server.
3- Certificate will be self signed or my company will be the CA for every certificate.
Please guide me how to setup all these thing on PHP based application with all the steps to follow.
It's easy. Configure your client side certificate, configure your webserver to validate client certificates then point your browser at:
<?php phpinfo(); ?>
...and you'll see where to retrieve the details and how they are formatted/referenced.
(the PHP openSSL extension is irrelevant for authentication - the details are all passed by CGI from mod_ssl)
C.
Friends, I got the complete answer at
http://www.experts-exchange.com/Security/Encryption/Q_25076701.html
Now I want to confirm that can we use single client certificate and populate the commonName and email fields from credential store on the computer at run-time? My application will all be on same domain so I want their domain login to be used for my application.
Regards,