Accept SSL Certificate in vb6 using the Webbrowser control - vb6

The Problem:
I am creating a vb6 application that will connect to a particular web service located on a a HTTPS site. The problem is, the HTTPS site I'm accessing requires all request to accept it's certificate policy. (as its a self-signed ssl certificate)
Basically I need the application to accept security certificate dialog boxes automatically. A sample security dialog is shown below:
Cheers in advance.
#EDIT:
I Cant' post an image yet as i am a new user... Please see the url below for a sample image:
http://oit.nd.edu/network/nomad/images/ie_certs.gif

Look for a property named Silent.
You will have to catch some other event, to reply to that dialog box. Although, I am not sure what is the behavior, if you set the Silent to true (i.e does it assume it to be Yes or otherwise?).

Most of HTTPS sites I know use self-signed certificates.
I don't know VB6 APIs for HTTPS, but for example in Java you should provide it a copy of the site certificate beforehand. That is:
export a copy of the certificate, for example from your browser certificate repository (in Firefox: Tools->Options->Advanced->Encryption->View Certificates etc.) - supposing you have have already visited the site with your browser;
detect which certificate repository your HTTPS API points to (there certainly is one)
import certificate into that repository
execute your program

Related

Cypress: Invalid certificate issue for https website

The browser reports that the connection is insecure, so the certificate hasn't loaded correctly. However, then manually opening the website it loads correctly.
Can anyone tell me how to fix Invalid certificate issue, It's result in to launching the wrong URL.
I tried with "chromeWebSecurity": false in my cypree.json, but no luck.
Please help me to solve this issue.
I haven't done this myself, but Cypress docs say that it's expected: You'll notice Chrome display a warning that the 'SSL certificate does not match'. This is normal and correct.
Note, that Cypress allows you to optionally specify CA / client certificate
https://docs.cypress.io/guides/guides/web-security#Examples-of-what-Cypress-does-under-the-hood.
So if the fake Cypress certificates are causing issues for you, you can try supplying your own certificates.
if it is not your website, you cannot fix it.
what you can do is verify why it is invalid, and decide to accept it and still open an https connection with the server although the certificate isn't valid.
usually the steps are:
click Advanced button
read and understand
click Accept or close the tab
the common reasons for a certificate to be invalid are:
domain name invalid, the certificate is installed for multiple vhost, and you have accessed the service for a domain name not defined in the certificate. www. is required, only * is specified without empty domain. totally wrong domain name. etc.
certificate is expired. check the date, it might be expired and decided if that makes sense to you
certificate isn't trusted, self-signed or using an authority not trusted by your browser.
if it is your website, these are the same reason, so you should be able to replace the certificate with an appropriate one.
by the way, this might not be a question for stackoverflow, maybe more for superuser, but I am happy to answer it anyway.
hope this helps you and others
cheers,

Create self signed certificate for testing localhost and have it accepted by the browsers

I've been trying for weeks now to get this self signed certificate working in several browsers (Chrome, Firefox, Edge, IE).
I managed to create the certificate and install it as a trusted root certificate but in every browser I have to bypass the security to be able to have the test environment (website with xampp).
Today I have focused on Edge and IE (without success), and since the procedure for chrome is slightly different, I will try to make it work in chrome tomorrow.
I tried both to create a new one, and to duplicate an old (working) one, this way:
To create a new certificate, open powershell as admin, then :
New-SelfSignedCertificate -DnsName "127.0.0.1", "localhost" -CertStoreLocation "cert:\LocalMachine\My"
exported as mentioned in this description.
To clone, I used the example in this documentation.
Then I imported the certificates in the 'trusted root certificate' using certlm.msc.
But I got the error codes DLG_FLAGS_INVALID_CA and
DLG_FLAGS_SEC_CERT_CN_INVALID in Edge and IE.
Does someone know a procedure to make this work?
I've been looking al over the net without finding one.
I was trying to do a similar thing and did get the following to work:
New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname localhost -FriendlyName "Dev localhost" -NotAfter (Get-Date).AddMonths(240) -TextExtension #("2.5.29.37={text}1.3.6.1.5.5.7.3.1")
The 'NotAfter' param extends the cert to 20 years.
The 'TextExtension' param configures the cert for 'Server Authentication' only. Without this, it defaults to Client Auth + Server Auth. I haven't researched, but the Client Auth seems to cause an issue (which is odd since most online examples don't mention it; I only found one that did).
This will create the cert in both the LocalComputer\Personal & LocalComputer\Intermediate Certification Authority. It also allows you to select the cert in IIS.
In order to actually run the site, the cert needs to get into the Trusted Root Certification Authority. To accomplish this, you can either export/import the cert or nav to the site in IE, click on the red security area and work your way thru the screens to import the cert. The link above shows the import/export approach.
Final notes:
I had to close/re-open IE (11.726.15063) to get the security prompt to go away despite IE telling me that the cert was installed.
My site was working fine in chrome (62) after the security warning cleared in IE.
I was using localhost and a non-standard port for my site, not a DNS name. Everything seemed fine.
HTH

Connect to https without a certificate

I'd like to connect to my website via https urls also if at the moment I don't have any certificate. I want to do this to test the URL structure on all pages. Is this possible?
If I digit https://www.example.com I see a blank page.
There is no way to get around needing a certificate for an https connection, however you can go for the free option of a self-signed certificate. Have a look into a service such as http://www.selfsignedcertificate.com/ to get the key and certificate created for your website.

Alternative authentication if certificate authentication fails (IIS,C#,ASP.NET MVC3)

Our project(web application C# ASP.NET MVC3) is hosted on IIS 7.5 and we use certificate authentication. So we have SSL-require configured IIS.
Now we have a business task to allow some users to use our system. And there is no way to provide client certificates for them. In that case we need to use some additional authentication model (user-password or ntdomain based).
I don't know how to realize such model:
User gets on our project url;
If he has valid client certificate - we let him iteract with our application;
If he hasn't cert we show him a login form with "user-password";
If we use SSL-required configured IIS users would not be able to iteract with application without valid certificate at all right? And how to authenticate with certificate if IIS is configured with SSL-Accept?
Maybe you can configure two sites on your IIS? One with SSL and another without it? Your url will point to the SSL enabled site, and when a user without a valid certificate arrives you use some backup code to send him to the SSL free site?
Just guessing actually... I think this probably deserves a more meditated answer...
The problem was not so large as i thought before. IIS provides a check box to require certificate even if combobox(in SSL options of web application) is set to Accept instead of require. In that case IIS tries to get certificate at first. And if there is no cert it lets the user to iteract with application. And we can make custom authentication on that level.
With MVC (v.3+) there is nice way to use IAuthorizationFilter in that case

How to avoid Security messages / security alerts from IE

We are getting security message like this while executing url:
There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server. We recommend that you close this webpage and do not continue to this website. Click here to close this webpage. Continue to this website (not recommended).
More information
Same type of security alerts with message like this
This page is accessing information that is not under its control. This poses security rish, DO you want to continue?
How to avoid them through code either javascript, jsp or any way. We can not ask each user to modify their internet options. Please let me know if there is any solutions for this
That's browser behavior that you can't and shouldn't be allowed to modify using JavaScript, or anything else for that matter. In fact, these security alerts are there to warn the user that something is (potentially) wrong. If you could disable them, there would be no point in having them, right?
Fix whatever problems you have with the security certificate and you'll be fine. I'll guess here that your certificates are self-signed - buy one. They are not that expensive.
You need to install a current, valid certificate on your web server.
There is a problem with this website's security certificate could mean you need to check that the clock is set correctly.
Host all content on an https website. not an http one. You do not need a certificate then.
1> The security certificate presented by this website was not issued by a trusted certificate authority.
This message indicates that the page is using a HTTPS-based resource which has a certificate which does not chain to a globally trusted root certificate. If you don't know what resources/URLS are causing this, open the F12 Developer Tools and look at the Console tab, or run Fiddler and watch for the warning popup.
2> This page is accessing information that is not under its control. This poses security risk, DO you want to continue?
This message is shown when you attempt to use an XMLHTTPRequest object to request data from a cross-domain location (e.g. www.domain.com tries to grab data from domain.com). That operation is a violation of Same-Origin-Policy.
By default in IE, this is blocked, but inside the Intranet Zone, this feature is set to Prompt and thus you see this message instead.
To fix this, either change the request URL so that it does not go to a different domain, or use XDomainRequest, or use a serverside proxy page to make the cross-origin data request from the server rather than the client.

Resources