Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Heroku: Spring Boot Gradle app with https tomcat server and certificate pinning

I have a Spring Boot java app that uses a self-signed certificate to communicate with the android front-end.

I use a tomcat server as my container for the app:

compile 'org.springframework.boot:spring-boot-starter-tomcat'

Now, I have enabled https / ssl:

            TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) container;
            tomcat.addConnectorCustomizers(connector -> {
                connector.setPort(Integer.parseInt(serverPort));
                connector.setSecure(true);
                connector.setScheme("https");

I have to enable SSL as I want my android frontend to communicate to my server securely. I use the technique called certificate pinning which means I add the same self-signed certificate to both my server and my android app. For any http communications between the two, the communication will be encrypted with the keys of the same certificate and hence the server and android app will be able to understand one another.

When I load it into Heroku, I get errors each time I try to call the server:

2015-12-11T20:04:32.424629+00:00 heroku[router]: at=error code=H13 desc="Connection closed without response" method=GET path="/getfood?postid=566348364a918a12046ce96f" host=app.herokuapp.com request_id=bf975c13-69f3-45f5-9e04-ca6817b6c410 fwd="197.89.172.181" dyno=web.1 connect=0ms service=4ms status=503 bytes=0

According to this blog by Julie: http://juliekrueger.com/blog/

As a side note, Heroku apps are https enabled by default. The server I was installing had Tomcat configured to use https, and trying to access an endpoint was returning a code=H13 desc="Connection closed without response" error. After I removed that configuration the error went away.

I can fix the error by just removing the ssl / https from my tomcat server, but as I mentioned, I want to use the certificate pinning technique for secure communications.

I was thinking whether it was possible to disable the SSL on heroku side but keep my tomcat server SSL active but I already contacted Heroku and they told me that disabling the piggyback SSL that comes standard with their service is not possible.

I also looked at the paid alternative here called SSL Endpoint but it seems only userful for custom domains. Since all endpoints are coded within my android app and is not visible to the user, it makes no sense for me to use a custom domain. Furthermore, I don't think it will solve my problem as its sole objective seems to be to create the custom domain:

SSL Endpoint is only useful for custom domains. All default appname.herokuapp.com domains are already SSL-enabled and can be accessed by using https, for example, https://appname.herokuapp.com.

I googled for a few days now and cannot seem to come up with a solution. Disabling ssl on my tomcat side would not be acceptable in my mind as it poses too much risks. I would even consider other services (Azure etc) if this would solve my problem.

Any ideas on how I can solve this?

like image 594
Simon Avatar asked Dec 11 '15 20:12

Simon


1 Answers

With Heroku, in order to use your own custom SSL, you need to use a custom domain and the SSL Endpoint addon, it will probably won't make sense for your case, but it is the only way to use your own certificate.

And I haven't tried all the providers out there, but with the ones I tried, the scenario is exactly the same, it is possible to use custom SSL cert only if you are using a custom domain.

Although, browsing google a bit, found this blog post where it ilustrates how to use an intermediate DNS service to comunicate with Heroku. In the communication between the DNS service and Heroku, the provided heroku SSL cert is used, but from the client to the DNS service a different certificate is used, so it might be of some help.

Update: A possible solution would be to use Amazon Web Services, where the deal is that you rent VM's and you are allowed to setup your own environment, meaning that you can install your own tomcat and use your own custom SSL.

Update 2: Also there is CloudFront with AWS, where you can use your own certificates explained here

like image 60
saljuama Avatar answered Sep 16 '22 11:09

saljuama