Connect to self-signed HTTPS web services from Flex

Question

In my project I need to connect to an intra-net web service but we need SSL connection between the two machines. Because this is an intra-net site the certificate of the web service might be a self-signed certificate. The web service and the web page that loads my Flex application resides on the same web server (tomcat) so when I load the web page of the application with HTTPS I been asked to confirm the certificate, I confirm it but this confirmation does not apply on the Flex application (on Internet Explorer and Firefox). I tried Google's Chrome and it actually asked me twice for confirmation, one for the web page and one for the connection to the web service so it worked great.

Is there a way to tell Flash player to accept also self-signed certificates of is it entirely concern the browser and Adobe guys can't do nothing about it? In other words, is there a way to connect to a self-signed certificates HTTPS web services from Adobe Flex???

Thanks.

Answer 1

When I put on my security hat the answer would be I hope not. I don't want browser plugins to bypass my browser security settings. I'd consider that a vulnerability.

There might be a way for standalone Air applications, but in browser Flash should honor browser settings.

Answer 2

In your company, you could create your own root CA, add its certificate to all machines that will access the intranet, and then have the CA issue your web service a certificate. The certificate will no longer be self-signed. The two main issues are: (1) managing the private key of your CA, (2) distributing the CA's root certificate to client PCs.

Answer 3

You need to download the cert and install it on both IE and Firefox.

To install a cert on IE:

http://www.markwilson.co.uk/blog/2008/11/trusting-a-self-signed-certificate-in-windows.htm

To install a cert on FF:

Go to Tools->Options and click on the Encryption tab. Click "View Certificates", then "Import".

In my experience, the cert has to be either verified or installed in the browser in order to get Flash to work properly. The cert also needs to have a valid hostname, but you can just edit your client's hostfile if you need to do this for testing.

Answer 4

Well, the flash player should just use the browser to make the connection and be done with it. We have a similar setup here. We use self-made certs, and communicate with the an AMF channel over HTTPS. My guess is though that our setup is different in that we load the flash application itself over an HTTPS channel, so it's talking from HTTPS to the same HTTPS server. Maybe you could try that? This is the setup for our Tomcat server:

http://stackoverflow.com/questions/1180397/tomcat-server-client-self-signed-ssl-certificate