SSL For native apps talking to web apps


#1

I have website and it has one native client app that need to be installed on client computers to interact with computer. Tell me how both my website and my native app can use ssl


#2

How did you ask for our help exactly?


#3

We need to install certificate on every client machine. If you look at this article https://letsencrypt.org/docs/certificates-for-localhost/. We need to know how we can achieve this “For native apps talking to web apps” portion using letsecrypt. Another issue is that ssl certificates expire after specific time and we have no control on client machines so how we can update them ?


#4

Hi @xeesoft

this isn’t possible. Read your part:

You can use 127.0.0.1.

This problem doesn’t exist because you shouldn’t ship your certificate with the corresponding private key.

Don’t do this. It will put your users at risk, and your certificate may get revoked.


#5

Wait, is the web app going to be hosted on the users’ computers as well, or only on your web site?

Are the users going to use a web browser to connect to your site, or only use the native app?

If the users are connecting only using the native app and only to your web site, the site doesn’t need to use a publicly-trusted certificate. You can create your own certificate authority and issue certificates to yourself, and then ship the native app with its own certificate store that trusts your certificate authority. Browsers won’t trust these certificates, but your native app will, because it’s been programmed to. Is this a plausible approach for your use case?

(Let’s be clear: this is a little bit of work on your end, but it’s natural that it should be a little bit of work, because you’re creating a custom public key infrastructure.)


#6

In this case a self signed certificate is enough. With a long duration (20 - 30 years).

The client app checks the thumbprint of the certificate. If known -> accept it.


#7

This is possible, but creating your own certificate authority has an advantage. The certificate authority key can be stored offline, or in a hardware token, or on a computer that’s not connected to the Internet.

If the server is hacked, the private key that it’s using might be compromised. But using an offline certificate authority instead of a self-signed certificate allows for recovery from this situation without updating all of the clients with a new fingerprint.


#8

@schoen thank you for you reply. Website is hosted on my own server but supporting native app needs to be installed on every client machine to get access of their local computers.

Native app have no direct connection, it is selfhosted SignalR service running on clients computer 127.0.0.1:8084. When client have installed this service on the machine and after that access my website using browser they can interact with their computer hardware using my website.

Website Main feature is to access printers and some other hardware information which was not possible using web in browsers so we have made one windows service which can control all these features and have also capability to interact with our website when open on client machine.


#9

@JuergenAuer yes you are correct but if my website is using ssl certificate and my native app is not using any certificate they cannot communicate with each other.

Native App is Windows Service running self hosted SignalR so when someone open my website they can interact with their computer hardware using that Native App (using SignalR ). So here is the problem if website is using https and Native App is not using https they cannot communicate with each other


#10

The site that they then get at 127.0.0.1:8084 is ultimately provided by your server (proxied by the local app), or provided by the local app itself?


#11

Which particular connection(s) (between what and what) did you want to protect with TLS?


#12

127.0.0.1:8084 is local app, and this local app needs to communicate with my website which user opens inside browser. My website already using ssl but my local app is not using ssl because to use ssl on local app certificate must be installed on client machine and then bind with client local port i.e 127.0.0.1:8084

Connection between local app and my opened website need to be secured


#13

is it possible to show you demo so you get exact idea of problem over some video session ?


#14

What’s the actual reason that it needs to be secured if the bind address is 127.0.0.1:8084?

If you use localhost as the browser address, the browser will treat it as a secure context and not disable any features.

It’s a big challenge in general to do what you want with a public CA, which will require a lot of moving parts and coordination.

Edit: to be precise, are you wanting to communicate from browser context https://app.example.org to browser context http://127.0.0.1:8084 ?


#15

@_az yes you are correct we want to communicate from browser context https://app.example.org to browser context http://127.0.0.1:8084

If i do so browser does not allow me and give me mix content error


#16

I was able to get this working using the following:

HTML (runs via SSL on https://fleetssl.com/localhost-test.html):

<!doctype html>
<html>
<body>
<script>
(async function() {
try {
        const resp = await fetch('http://127.0.0.1:8084/');
        const text = await resp.text();
        document.body.innerText += "Response: " + text;
} catch (e) {
        console.log(e);
}
})();
</script>
</body>
</html>

Web server (that runs on http://127.0.0.1:8084 without SSL):

package main

import (
	"fmt"
	"net/http"
)

func main() {

	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		w.Header().Set("Access-Control-Allow-Methods", "GET")
		w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
		w.Header().Set("Access-Control-Max-Age", "3600")

		fmt.Fprint(w, "Hello world")
	})

	if err := http.ListenAndServe("127.0.0.1:8084", nil); err != nil {
		panic(err)
	}
}

and it worked fine for me in latest Chrome and Firefox:

I don’t know if that exactly matches what you need, but it’s what I can suggest. Otherwise, I’d suggest private CA, if you have control of the PCs using your app.


#17

@_az let me take screen shots and show you exact issue give me couple of mins


#18

@_az i am using port 8082 not 8084 will that make any difference ?


#19

Not at all. I think what makes the most difference is the address: 127.0.0.1. e.g. in my example, if you use localhost instead, it fails for mixed content.


#20

yes actually i am using it like this http://localhost:8082/signalr/hubs