wsanchez
commented
9 years ago Work-around is to connect to the server in Safari, accept the cert, then re-launch the IMS application.
Open wsanchez opened 9 years ago
wsanchez
commented
9 years ago Work-around is to connect to the server in Safari, accept the cert, then re-launch the IMS application.
wsanchez
commented
9 years ago wsanchez
commented
9 years ago The Safari thing prevents spoofing. Not sure how to add that cert/keychain dialog into the app.
wsanchez
commented
8 years ago This no longer happens, though that's because it's now not validating the cert, so that's kinda dumb. Filed #49 for that.
wsanchez
commented
8 years ago OK, fixed #49, and this is back. Re-opening. Work-around is to visit the server with (eg.) Safari and accept the cert there; then the IMS app will work.
wsanchez
commented
8 years ago https://github.com/burningmantech/ranger-ims-mac/commit/ad72af44cb1d869dc62155efcce01a0c2775f4cd adds code that will bypass the TLS auth, but that's back to being lame.
What I'd like is the "trust this cert?" dialog one sees in Safari, I think.
Alternatively, we could add a preference to import a trusted CA cert to the app and use certs by that CA (or import a specific cert to trust, but that's less flexible and not any easier on the user).
wsanchez
commented
8 years ago 
flwyd
commented
8 years ago Rather than using a self-signed cert, would a free, trusted, cert from https://letsencrypt.org/ solve the problem?
flwyd
commented
8 years ago (The actual-cert solution might be tricky if the client is connecting to a server's LAN address rather than a public URL.)
wsanchez
commented
8 years ago Yeah, Let's Encrypt would make getting a "real" cert easier, as I think their CA should be in Apple root CA list now, but I'd still like to figure out how to get allow the client to view and accept a random cert, because I think that may be necessary on playa.
Self-signed certs are basically like SSH host keys. Trust once (ideally verify manually first), then complain when it changes. I think that model works OK in our usage.
If the server is using an untrusted X.509 certificate (eg. a self-signed cert), then the application brings up an error dialog when attempting to connect: