0 Replies Latest reply on Jul 8, 2009 3:16 PM by kpauls

    Any way to bypass server certificate validation in AIR client?

    kpauls

      Is there any way to bypass certificate validation and server identification for secure Channels or ChannelSets? I am aware of the existing workaround to import my own certificate into the user's CA chain, but I feel that having greater control on the client-side is preferred.

       

      If there is not a way to bypass client-side certificate validation I will be filing this as a feature request at http://bugs.adobe.com

       

      Thanks,
      Karl

       

       

       

      When producing a client-server solution it is occasionally useful to override the default behavior of HTTPS certificate validation and server identification. I would like to request the ability to override these systems in the AIR environment for applications installed with the "UNRESTRICTED" system access option.

       

      Simply allowing the use of self-signed certificates without verification (perhaps signified by a secure protocol identifier other than "https") would provide adequate functionality, but some users may desire finer control.

       

      This issue is partly addressed by bugs FP-711 and FP-214 but I feel it is important that any enhancement include the BlazeDS Channel in the case that the AIR application has unrestricted system access.

       

      When deploying an AIR client application which is securely connected to a network appliance which is controlled by the same developer it is desirable to bypass the overhead of acquiring a PKI issued certificate for every customer. Independent, open-source, and not-for-profit developers could see increased ability to adopt the AIR platform with this improvement.

       

      When deploying a network appliance to be used with an AIR application the requirement for a PKI issued certificate complicates the deployment of the network appliance by requiring DNS access, and thereby requiring Internet connectivity. Some customer sites require network isolation.

       

      It is possible to generate a developer-specific certificate and import that certificate into the AIR client host's Trusted Root Certification Authorities list. This workaround deteriorates PKI best practices and complicates the installation of AIR software. It is not possible to depend solely on the ".air" packaging for installation with the added requirement to install a new CA on the user's host.

       

      Java provides the requested functionality by allowing developers to provide their own implementations of javax.net.ssl.TrustManager for verification and javax.net.ssl.HostnameVerifier for identification. We have used this technique to communicate over the SDEE protocol with Cisco IDS devices which do not usually have PKI issued certificates.