Getting ERR_INSECURE_RESPONSE when trying to use IIS ssl - javascript

I am trying to implement my site with SSL. I used the IIS to create a self-signed certificate. But when calling the site using https I keep getting ERR_INSECURE_RESPONSE and never seem to reach the server.
I use Chrome extension 'Advanced Rest client' to call the server.
I have no clue to what to do, appreciate the help...

Recreate the self signed certificate using the following tutorial -
https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx
I've never seen this error specifically but suspect there is an issue with the certificate.

Related

Setting up a development environment for working with 0Auth 2.0

I'm curious if anyone else has encountered this issue.
I am building an application that will authenticate users using Google 0Auth 2.0 + OpenID.
I've built a simple site just with HTML and CSS to hold the UI and I'm using live server in Vscode to view it.
In The Google developer console for oauth, you must set Authorised JavaScript origins for client-side applications. I assumed I would just set this to http://localhost:5500 for the port that live server uses but I always get the following error:
Authorization Error
Error 400: invalid_request
Permission denied to generate login hint for target domain.
I have got around the issue by just getting a domain and hosting for a test site and setting this as the "Authorised JavaScript origin". However is seems really clunky and I have to FTP all my files to my hosting provider every time I want to change my code.
I could also host everything on a Node.js server from my local machine but this would just cause the same issue as before.
My question isn't so much how to stop getting this error but what is the proper way of developing with OAuth 2.0 and is there any way to speed up the process/create a local environment that doesn't get the same errors.
Thanks for your help.
There is an answer to this Google question here that may help you.
The way I have always set up an OAuth environment is to try to avoid localhost and use more real world URLs on a Developer PC. I also like to split them like this which helps me to visualize the architecture:
Base URL
Represents
http://www.example.com -
Your web UIs
http://api.ecample.com
Your APIs
http://login.example.com
The Authorization Server
This approach can also give you more confidence that your code will work well in beowsers, in areas such as these:
CORS
Cookies
Content Security Policy
By default you just need to edit your hosts file and add an entry like this. It can work very well for demos to business people also.
127.0.0.1 localhost www.example.com api.example.com login.example.com
:1 localhost
ADVANCED SCENARIOS
At Curity we provide some quite advanced developer setups and this approach scales well, as in the below articles. The second of these also provides a script you can use to run locally over SSL, in case this is ever useful:
Single Page Apps End to End Developer Setup
Kubermetes End to End Developer Setup

SquareUp Payment: Can we turn off SSL verification for development server?

I am trying to implement SquareUp Payment Gateway on a website and using Square Connect V2. When I try to show SqPaymentForm form in JavaScript but getting the following error -
paymentform:1 Uncaught Error: SqPaymentForm can only be embedded on sites that use HTTPS.
I can see a function named setSSLVerification in sample code but it not working and also I can't find it in API. I wonder if there is any way to turn SSL verification.
Can we turn off SSL verification? Like for development server?
Update:
After trying couple of unsuccessful things, I finally purchased SSL for dev server. As that's the easiest and quick solution. Thanks everyone for your answers.
You can use localhost for testing payment forms, but you are not able to use other development environments (like external testing servers). I'd recommend either testing from your local machine, or getting a free certificate with a service like Let's Encrypt
just use following code.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
in your c# code for bypass the security of HTTPS.

Heroku - How do I prevent this error?

I have made a game called kotakio (with nodejs), and have it hosted on kotakio.herokuapp.com, I now have a custom domain name, under kotak.io, but when I try and go on it, it says that my connection isn't secure, I think this is because it uses the certificate for *.herokuapp.com, as it says that the server may be trying to trick me. Is there a way for me to prevent this without having to buy the SSL Endpoint addon, as it's 20$/month, and this is only a hobby project.
If you use hobby or professional dynos you could try the beta for default ssl encryption with no additional charges. Otherwise the only way to use custom domains with ssl without that warning is adding the addon...

Instagram API for HTTPS callbacks

I'm using subscribe endpoint of Instagram and it gives me the following error message if my callback_url is HTTPS; it works fine if callback_url is HTTP; the error message:
{
"meta": {
"error_type": "APISubscriptionError",
"code": 400,
"error_message": "Invalid SSL certificate"
}
}
PS: I saw this thread saying "I think this because I checked the SSL certificate for api.instagram.com and it looks OK"; But I dont know where they exactly checked SSL certificate? I dont see this option in Instagram developer console...
Does this mean the callback_url cannot be HTTPS?
Any idea how I can solve it?
Your Callback URL is probably self-signed certificate. Instagram does not support self-signed certificates.
So you have to use HTTP or Get an SSL certificate for your website.
Also check this thread: https://groups.google.com/forum/?fromgroups=#!topic/instagram-api-developers/MaS4fjo8GXQ
Hey folks,
We've made a couple of changes recently that affected the realtime
API, and we wanted to update you all:
1) We centralized some of our error tracking, which made our previous
"blacklisting" rate limits too aggressive; we've identified this and
have raised these errors, resulting in fewer false positives
2) We
switched the library used for the POST requests, which had the
side-effect of starting to enforce proper SSL certificates. If you've
noticed a drop-off in realtime hooks, please double-check that your
certificate is valid on your host. Going forward, this check will be
made when creating subscriptions, too, so incorrect subscriptions
won't be created.
3) Finally, we've updated the documentation to
reflect that http://ec2-... URLs are often problematic (as we're on
Amazon and they will often resolve locally) and we instead recommend
using the public IP or an Elastic IP for that host.
Thanks, Mike

Javascript going through a Proxy

I am working on a project right now that requires some javascript for the proper functionality we are looking for. The problem we are running into is that the clients of this web-based app can only access the site through a proxy server (due to strict policies). This proxy server is stripping the javascript from the page and we are unable to replicate the exact proxy setting to determine a solution. Has anyone ran into this problem before and found a solution?
If there's a fixed set of client machines, and you can go for Firefox only, you might be able to do something using a Firefox extension or a bookmarklet that fetches the Javascript some other way that the proxy doesn't recognize (e.g. as base64 encoded data). It would however certainly require a load of work, and you may have to program the extension yourself... Probably cheaper to buy a new Proxy.
Some of our customers had these problems and we told them to access our app via HTTPS and that cleared the issue since most proxy won't filter secured traffic.

Categories

Resources