User Tools


Enabling TLS

In the event that you require the communication between your clients and Photonic3D to be encrypted, you'll need to turn on SSL. You can do this by setting this parameter to true in your `config.properties`.

`useSSL=true`

That's it!

Still, don't just trust us. Why not learn a bit more…

Setting that parameter will automatically create the necessary PKI to encrypt your communications and uniquely identify your Photonic3D server. The certificate that is created is secure, but of course the certificate could not be signed by a root certificate authority. Due to this reason, your browser is not allowed to trust this certificate and thus is not allowed to trust Photonic3D as a website. At this point you could always just purchase a certificate signed by a CA.

If you decide not to purchase a certificate, when you browse to Photonic3D for the first time it will look something like this:

At first glance this looks like we have a serious security problem. Is someone snooping on our communications? Do we actually have a good certificate and keys? Is Photonic3d a typical browser trusted Root CA? Is our communications really encrypted? Let's dig in a bit deeper to see if we can answer these questions and try to determine what our browser is really trying to tell us.

Is Photonic3d a typical browser trusted Root CA? Yes. The most important “clue” is the error that Chrome is reporting: ERR_CERT_AUTHORITY_INVALID. This error pretty much sums up everything that I mentioned previously. The error basically says someone just created a certificate and it doesn't believe the person that created the certificate has any authority to determine the identity of the certificate. Well it's right. Photonic3D created it's own certificate and since you didn't pay a root certificate authority to validate your phone number and your address, your browser doesn't trust your certificate. Browsers only trust authorities that have had their identity verified.

Is someone snooping on our communications? No, but let's find out for sure… The style of hack that Chrome is warning us about in their last paragraph is called a man in the middle attack. This is a situation where some unknown person creates a certificate(just like we did) and get's you to communicate with their cert and public key. You can be sure that this isn't happening by performing doing a quick comparison of data that is stored in your web keystore specified in your `config.properties` here:

  • `keystoreFilename=web.keystore`
  • `keystorePassword=keystorePassword`

Use those two bits of information in order to run this command on a commandline on any OS:

`keytool -list -keystore web.keystore -storepass keystorePassword`

Along with a bunch of other information, you should see your certificate's fingerprint for Photonic3D:

`Certificate fingerprint (SHA1): 38:0B:6E:AB:95:A3:30:4D:09:9B:6A:C3:4C:75:30:E4:30:59:89:E4`

Now we need to go into your browser and compare this fingerprint to the certificate we are using to communicate to Photonic3D:

They are the same hash. Perfect, that means there aren't any intruders peeking into our communications. Now it's still possible that someone can logon to your box and steal your private key and cert, so you still need to have proper security measures in place to ensure that doesn't happen. This is why we ask you to change your ssh password when you perform an install of Photonic3D.

Do we actually have a good certificate and keys? Is our communications really encrypted?

Yes and Yes. Just trust your browser to tell you how strong the certificate is and if the connection is encrypted. Notice the paragraph:

`The connection to this site is encrypted and authenticated using a strong protocol (TLS 1.2), a strong key exchange (ECDHE_RSA with P-256), and a strong cipher (AES_128_GCM).`

We couldn't have said it better ourselves…