Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifyTLSServerCertificate API for IWA #197

Open
vkrot-cell opened this issue Feb 11, 2025 · 3 comments
Open

verifyTLSServerCertificate API for IWA #197

vkrot-cell opened this issue Feb 11, 2025 · 3 comments

Comments

@vkrot-cell
Copy link

vkrot-cell commented Feb 11, 2025
edited
Loading

Introduction

The primary use case for this API is to enable IWA apps that communicate over raw TCP/UDP using the Direct Sockets API to verify server certificates. Manual verification is challenging and error-prone due to the complexities of certificate management, such as tracking revoked certificates and invalidating compromised authorities. Additionally, apps currently cannot verify a certificate against locally installed ones. That’s why they are forced to use less secure options like downloading certificates from some api and comparing them line by line with the server ones

Read the complete Explainer.

Feedback

Please leave feedback in this thread.
@sunderkandasamy-ctx
Copy link

This is a valuable addition for Citrix, as we use Direct Sockets to implement Enlightened Data Transport (EDT) protocol for our applications, including audio and video streaming over lossy networks using EDT. This API helps validate the server certificate against the trusted CA store on the device, ensuring proper verification as part of our TLS/DTLS handshake handling for secure communication.

It would be beneficial to include:

  1. A comprehensive list of potential error messages or codes that may be returned. For example, errors related to certificate revocation, invalid certificate chains, untrusted issuers, or expired certificates. Clear documentation on these would help developers implement better error handling and debugging.
  2. Functionality to verify server certificates and their chains, including support for validation against a custom root CA provided by the application. This would offer flexibility in certificate management, especially in environments where custom or private CAs are utilized.

@vkrot-cell
Copy link
Author

@sunderkandasamy-ctx Let me clarify

  1. Comprehensive list of errors: It is for debug only purposes and won't be shown to end users, right?
  2. Would this custom root CA completely replace Browser's built-in and OS root CA or it should act as additional source?
    Why just installing Root certificate to the operating system wouldn't work?

@sunderkandasamy-ctx
Copy link

@vkrot-cell , Thanks for the questions. Please find our responses below:

Comprehensive list of errors: The intent is to display simple errors that a user or admin can resolve.

Extended certificate verification: Following our discussions, this feature does not appear to be essential.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vkrot-cell @sunderkandasamy-ctx