Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Self signed certificate for communication between local Win10 native app and web app

Background: I have a web app that is accessed via Chrome on a Windows 10 machine.

I also have a native Win10 application installed on the device. The web app sends data to the Win10 application via a local web service running on the machine in IISExpress.

To allow for HTTPS communication on port 44300, I've created a self-signed certificate via PowerShell: New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My" -NotAfter (Get-Date).AddMonths(60)

And then imported it to 'Local Computer\Trusted Root Certificates\Certificates'

From within the web app I send a command to the win10 app that looks something like this: https://localhost:44300/CMTService.svc/JumpToAssignment?Param=Key=418584577

The win10 app is polling for these requests and picks up the message.

Issue: Different versions of Chrome behave differently with the acceptance of the self-signed certificate. For instance versions 62, 64 and 75 all accept the certificate and allow for communication with the web service. But other versions of Chrome like 76 and 78 block communication. The Security tab in the Chrome DevTools shows https://localhost:44300 as "Unknown / cancelled" and my requests fail with ERR_SSL_CLIENT_AUTH_CERT_NEEDED. Whereas in working versions of Chrome my URL shows under "Secure origins". The only thing that I change is the Chrome version to get these different results.

I've tried enabling the Chrome setting to allow for invalid certs for localhost (chrome://flags/#allow-insecure-localhost). This temporarily works, but then after closing and reopening chrome, my requests start failing again with the same error code.

If I take one of my failing URLs and paste it into a new Chrome tab, suddenly communication with my native app in my web app resumes as normal. But it only works for that session - when I close and reopen Chrome my communication is broken again.

Question: How do I allow for communication between my Chrome v78 web app and my local native app?

like image 582
evres Avatar asked Dec 03 '19 19:12

evres


People also ask

How do I install a self signed SSL certificate in Windows 10?

Import the self-signed certificate to the client Windows computer. On the Windows computer, start MMC (mmc.exe). Add the Certificates snap-in for the computer account and manage certificates for the local computer. Import the self-signed certificate into Trusted Root Certification Authorities > Certificates.

Can we use self-signed certificate for https?

Must-read security coverage Trust. When using self-signed certificates to enable HTTPS on your web server, any user visiting that site will have to okay and exception in their browser. Why is this? Because the browser doesn't fully trust the certificate.


2 Answers

ERR_SSL_CLIENT_AUTH_CERT_NEEDED means the server is asking the browser for a certificate for client authentication.

You've described how you setup server authentication, but not described how you setup client authentication.

Likely you have enabled certificates for client authentication, but have not configured the web app to send the correct client certificate or have not configured the native app to accept the correct client certificate. That's a very open ended topic to be prescriptive without knowing more about your development efforts, but you can confirm if client authentication is enabled by inspecting a packet capture. One description of the handshake is here : https://blogs.technet.microsoft.com/nettracer/2013/12/30/how-it-works-on-the-wire-iis-http-client-certificate-authentication/.

like image 167
Doug Avatar answered Oct 09 '22 03:10

Doug


Just an update: I implemented a javascript workaround to get around my communication issues. When first loading the web app, I simply send my first communication to IIS (destined for Win10 native app) in a separate chrome browser tab. For whatever reason this allows for successful acceptance of the certificate and kick starts the communication with IIS. This is my code to send the command in a new tab and then close it:

    var inst = window.open(launchWinAppURL);
    if (inst != null) {
        window.setTimeout(function() {
            inst.close();
        }, 1000);
    }

This is not the most elegant solution, but it seems to work on all chrome versions, so i'm satisfied.

like image 22
evres Avatar answered Oct 09 '22 02:10

evres