Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Adobe AIR Development

Reply
New Developer
Posts: 6
Registered: ‎12-23-2010
My Device: Not Specified

Connecting to https server using an invalid (self signed) certificate

Hi, 

 

I've been able to run an application in the tablet simulator that gets data from a http service exposed through SSL (i.e. HTTPS), but only when the certificate is a valid (trusted) one.

 

Using a test server that uses a self signed certificate, invalid of course, I get error 2032, "ioError".

 

Googling around, I've found some statements that suggest that in other environments  (desktop), a warning is shown in this situation  (see for example http://forums.adobe.com/thread/680181?tstart=0). I mean, at least it works.

 

As I said before, in the tablet simulator I just get an error. I wonder if there are any workarounds or if someone out there knows this limitation and has more information.

 

 

Thank you very much!

Developer
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10
My Carrier: none

Re: Connecting to https server using an invalid (self signed) certificate

 


MauroUY wrote:

I've been able to run an application in the tablet simulator that gets data from a http service exposed through SSL (i.e. HTTPS), but only when the certificate is a valid (trusted) one.

 

Using a test server that uses a self signed certificate, invalid of course, I get error 2032, "ioError".

 

Googling around, I've found some statements that suggest that in other environments  (desktop), a warning is shown in this situation 


The same thing happens with just about any web browser, and when it does and you choose the option to "accept anyway", I believe the server is always installing the invalid certificate in with the other certificates by using some OS-provided API.  I doubt that's available (at least yet) for the PB.

 

If you would like to do this for testing purposes, you could learn how to generate your own root certificate, then use that to sign the SSL certificate.  If you install the root certificate in the right place, that may let your system get past the problem. 

 

I can't say for sure that this will actually fix the problem as seen from AIR, but would think that it would.  The location of the root certificates (at the moment) is /etc/openssl/cert/cacert.pem .  You could use FTP to retrieve that file, add your own trusted root certificate, then upload it again, or you could connect using telnet to modify it directly in the system (using "vi", or just appending with cat and redirection, if you know how).

 

If you need instructions on how to get into the system, as they haven't been provided directly by RIM at this time, you can look at page 56 of the PDF previously linked in another thread by @janetsa.  That wasn't written for the PB but seems to work fine here, in development mode, and I expect that's by design.

 

(For anyone else reading, that document also covers a few nice details of the Persistent Publish-Subscribe feature of QNX.)

 

@MauroUY, I have not actually tried doing this myself yet (installing my own root certificate in the PB) so I can't say for sure it will work.  Also, if you haven't done a lot with SSL certificate signing in the past, this may all be beyond you.  I'm not an expert at it either, but if you can't figure it out, and no better options present themselves, I can take a stab at it.  There are lots of pages on the web about generating your own root certificate and using it to sign another, but it would take a while for me to collect them all in a nice How To.

 


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
New Developer
Posts: 6
Registered: ‎12-23-2010
My Device: Not Specified

Re: Connecting to https server using an invalid (self signed) certificate

peter9477, your message has given me a better understanding on the problem, thanks.

 

Something I need to clarify is that I'm not after testing purposes. Connecting to HTTPS using self signed certificates is a feature for the end user. Given this, installing a new root certificate is not exactly what I'm looking for, but a feature in the PB that seems missing (as you correctly point out). This feature will be something like what you described for browsers: a warning and the option to accept anyway the invalid certificate.

 

Thank you again

 

Developer
Posts: 6,473
Registered: ‎12-08-2010
My Device: PlayBook, Z10
My Carrier: none

Re: Connecting to https server using an invalid (self signed) certificate

 


MauroUY wrote:

Something I need to clarify is that I'm not after testing purposes. Connecting to HTTPS using self signed certificates is a feature for the end user. Given this, installing a new root certificate is not exactly what I'm looking for, but a feature in the PB that seems missing (as you correctly point out). This feature will be something like what you described for browsers: a warning and the option to accept anyway the invalid certificate.


 

I would imagine one would not want the PB itself (i.e. the OS, or anything outside of the app) to actually be responsible for showing the warning and handling the user input on the matter...  what you probably would want is an API to handle this. 

 

I would imagine it would involve first of all something like a SecurityErrorEvent, which an app interested in handling this situation would listen for.  It would then be responsible for interacting with the user, at which point it could then somehow direct the OS to use the certificate for the current connection, or it would save it in its applicationStorageDirectory for future use, making it a permanent acceptance.  It would not "pollute" the OS or any other application with this invalid certificate.

 

If this sounds reasonable, I'd suggest you submit it as a feature request in the issue tracker.  Instructions are always available in this sticky message at the start of the forum's topic list.


Peter Hansen -- (BB10 and dev-related blog posts at http://peterhansen.ca.)
Author of White Noise and Battery Guru for BB10 and for PlayBook | Get more from your battery!
Highlighted
New Developer
Posts: 6
Registered: ‎12-23-2010
My Device: Not Specified

Re: Connecting to https server using an invalid (self signed) certificate

I totally agree with you. Following your suggestion, requested a feature in JIRA: https://www.blackberry.com/jira/browse/TABLET-34