Jump to content

Browser extension with SSL offloading


Matt

Recommended Posts

Hi, is it possible to use the PasswordState browser extension when no SSL certificate resides on the webserver?  We use SSL offloading, so the load balancer handles the SSL which negates the need for it on each webserver.

 

So far in our setup, I can't get it to not be red so it looks like its not working, but I'd really like it to if possible.

Link to comment
Share on other sites

Hey Matt,

 

Of course we can't ask you to provide too many details about your network setup; we wouldn't want you to disclose any important information. But let's see what we can of this :) 

 

Based on what you describe, I expect that you also get certificate errors when using PasswordState's web interface. Correct? If so, then it seems that your load balancer's certificate does not include your PowerState server's hostname in the SAN (subject alternative name) list. That's what is needed in this case: a certificate must always list the subjects that it was assigned to. 

 

If however, you do not get certificate errors in your browser, then there's something else going on. We'd need to poke a little further :)

Link to comment
Share on other sites

Hi, no certificate errors.  Its actually a wildcard for the domain so it works very well.  I see the post above says its needed on the web server.  This is a shame, but I'm planning on putting together a post of feature requests, so we shall see if there is any traction with it.

Link to comment
Share on other sites

Quote

Its actually a wildcard for the domain so it works very well. 

*shudder*

 

Which takes me back to wondering how your network is laid out, because that seems like such an odd setup to me. But as I said: no need to disclose sensitive info like that :)

 

Also, I have to wonder what kind of magic that extension does, insofar that a specific certificate is required on the server-side. I'm assuming the browser simply speaks to your load balancer, meaning that SSL is terminated from there and then the rest is simply http or https between the LB and Passwordstate. Normally this would work without much issues, unless the extension does some very strict handshake with the PS server wherein the PS server explicitly states what certificate the extension should expect. That would be a way to protect against man-in-the-middle attacks (which your situation is, to some degree).

 

Time to see if we can dig up documentation on that extension :D

Link to comment
Share on other sites

2 hours ago, Buckit said:

*shudder*

Not my decision, I had to utilise the services that were there.

 

Yeah. the extension magic is a bit of a conundrum.  I can't imagine it can't be reworked for the scenario we have, but for now I guess I have to accept it.

 

You are right, SSL offloading.  Load balancer handles it and everything inside is http.

Link to comment
Share on other sites

3 hours ago, Matt said:

Not my decision, I had to utilise the services that were there.

 

No worries :) We've all been in those kinds of situations. Best of luck!

 

Quote

You are right, SSL offloading.  Load balancer handles it and everything inside is http.

 

Right. Given the sensitive nature of this data, that's far from ideal. But I guess they have their reasons for it.

 

Quote

Yeah. the extension magic is a bit of a conundrum.  I can't imagine it can't be reworked for the scenario we have, but for now I guess I have to accept it.

 

If I manage to find some time, I'll poke and prod some more into the code. See what I can figure out. 

 

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...