Connecting securely
A Diffusion™ Cloud client can make secure connections to Diffusion Cloud over Transport Layer Security (TLS) . All supported transports can connect securely.
- In JavaScript® , set the secure parameter to true
- In Android™ and Java™ , when specifying parameters individually, pass true to the secureTransport() method.
- If using a URL to connect, insert an "s" after the transport value in the url parameter. For example, wss://diffractingmightyCarter.us.diffusion.cloud:443.
Configure the SSL context or behavior
A secure connection to Diffusion Cloud uses Secure Sockets Layer (SSL) to secure the communication. When connecting to Diffusion Cloud using SSL use port 443.
- In JavaScript , the SSL context is provided by the browser.
- In Android , Java , and .NET, you can provide an SSL context when creating the session.
- In Apple® , you can use the sslOptions property to provide a dictionary of values that specify the SSL behavior. For more information, see the CFStreamConstants documentation.
var session = Diffusion.Sessions .Principal("principal") .CertificateValidation((cert, chain, errors) => CertificateValidationResult.ACCEPT) .Open("url");
final SSLContext context = SSLContext.getInstance("TLS"); final Session session = Diffusion .sessions() .sslContext(context) .open("wss://localhost:443");
If no SSL context or behavior is specified, the client uses the default context or configuration.
Validating server-side certificates
Diffusion Cloud clients that connect over a secure transport use certificates to validate the security of their connection to Diffusion Cloud . These certificates are validated against any certificates in the set trusted by the framework, runtime, or platform that the client library runs on.
Diffusion Cloud uses certificates from Startcom. By default, Startcom is not a trusted Certificate Authority (CA) in all clients.
- For Java, see Certificates
- For .NET, see Certificates
You can also write a trust manager that explicitly allows the CA's certificates.
Disabling certificate validation on the client
You can disable client validation of the server-side certificates.
Certificates can only be strictly validated if they have been issue by an appropriate Certificate Authority (CA) and if the CA's certificates are also known to your client.
Diffusion Cloud is deployed on a specific domain and has appropriately installed certificates, provided by Startcom, which can be validated. By default, Startcom is not a trusted CA in all clients and extra steps are required to configure validation of the certificates by your production clients. For more information, see Validating server-side certificates.
However, while you are developing your Diffusion Cloud clients, you can disable client-side SSL certificate validation as shown in the following examples:
final TrustManager tm = new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }; final SSLContext context = SSLContext.getInstance("TLS"); context.init(null, new TrustManager[] { tm }, null); final Session session = Diffusion .sessions() .sslContext(context) .open("wss://localhost:443");
// the environent variable can be set this way in the code // or it can be set explicitly in the environment putenv("DIFFUSION_TRUST_SELF_SIGNED_CERTS=1"); SESSION_T *session = session_create(url, principal, credentials, NULL, NULL, NULL);
let configuration = PTDiffusionMutableSessionConfiguration() configuration.sslOptions = [kCFStreamSSLValidatesCertificateChain: kCFBooleanFalse] // Use the configuration to open a new session... PTDiffusionSession.open(with: URL(string: "wss://TestServer")!, configuration: configuration) { (session, error) in // Check error is `nil`, then use session as required. // Ensure to maintain a strong reference to the session beyond the lifetime // of this callback, for example by assigning it to an instance variable. if (session == nil) { print("Failed to open session: %@", error!.localizedDescription) return } // At this point we now have a connected session. print("Connected.") }