Matt Posted November 24, 2017 Share Posted November 24, 2017 Hi, is it possible to use the PasswordState browser extension when no SSL certificate resides on the webserver? We use SSL offloading, so the load balancer handles the SSL which negates the need for it on each webserver. So far in our setup, I can't get it to not be red so it looks like its not working, but I'd really like it to if possible. Link to comment Share on other sites More sharing options...
support Posted November 24, 2017 Share Posted November 24, 2017 Sorry Matt - the browser extensions require a SSL certificate on the web server, and this is enforced by each of the browser manufacturers. Regards Click Studios Link to comment Share on other sites More sharing options...
Buckit Posted November 25, 2017 Share Posted November 25, 2017 Hey Matt, Of course we can't ask you to provide too many details about your network setup; we wouldn't want you to disclose any important information. But let's see what we can of this Based on what you describe, I expect that you also get certificate errors when using PasswordState's web interface. Correct? If so, then it seems that your load balancer's certificate does not include your PowerState server's hostname in the SAN (subject alternative name) list. That's what is needed in this case: a certificate must always list the subjects that it was assigned to. If however, you do not get certificate errors in your browser, then there's something else going on. We'd need to poke a little further Link to comment Share on other sites More sharing options...
Matt Posted November 28, 2017 Author Share Posted November 28, 2017 Hi, no certificate errors. Its actually a wildcard for the domain so it works very well. I see the post above says its needed on the web server. This is a shame, but I'm planning on putting together a post of feature requests, so we shall see if there is any traction with it. Link to comment Share on other sites More sharing options...
Buckit Posted November 28, 2017 Share Posted November 28, 2017 Quote Its actually a wildcard for the domain so it works very well. *shudder* Which takes me back to wondering how your network is laid out, because that seems like such an odd setup to me. But as I said: no need to disclose sensitive info like that Also, I have to wonder what kind of magic that extension does, insofar that a specific certificate is required on the server-side. I'm assuming the browser simply speaks to your load balancer, meaning that SSL is terminated from there and then the rest is simply http or https between the LB and Passwordstate. Normally this would work without much issues, unless the extension does some very strict handshake with the PS server wherein the PS server explicitly states what certificate the extension should expect. That would be a way to protect against man-in-the-middle attacks (which your situation is, to some degree). Time to see if we can dig up documentation on that extension Link to comment Share on other sites More sharing options...
Matt Posted November 28, 2017 Author Share Posted November 28, 2017 2 hours ago, Buckit said: *shudder* Not my decision, I had to utilise the services that were there. Yeah. the extension magic is a bit of a conundrum. I can't imagine it can't be reworked for the scenario we have, but for now I guess I have to accept it. You are right, SSL offloading. Load balancer handles it and everything inside is http. Link to comment Share on other sites More sharing options...
Buckit Posted November 28, 2017 Share Posted November 28, 2017 3 hours ago, Matt said: Not my decision, I had to utilise the services that were there. No worries We've all been in those kinds of situations. Best of luck! Quote You are right, SSL offloading. Load balancer handles it and everything inside is http. Right. Given the sensitive nature of this data, that's far from ideal. But I guess they have their reasons for it. Quote Yeah. the extension magic is a bit of a conundrum. I can't imagine it can't be reworked for the scenario we have, but for now I guess I have to accept it. If I manage to find some time, I'll poke and prod some more into the code. See what I can figure out. Link to comment Share on other sites More sharing options...
Matt Posted November 29, 2017 Author Share Posted November 29, 2017 Thanks, appreciate that. Not being able to use the extension is annoying as its one of the things that sold the product to us, but hey ho, live and learn. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now