27

I am newbie to jQuery/AJAX. I have a small application for testing pupose that has a button on it. When the button is clicked a connection is made to a server located in the same domain to get some data and alert it.

Problem: My application can't make any connection to the server. The following screen shot is from the developer tools in google chrome.

eror

The server has its own self signed certificate. If I connect to the server via web browser I get an SSL certificate warning as shown below.

ssl-error

If I click on proceed and then login to the server, after this now my application is also able to retieve the data from the server.(If I click the button on my web app it alerts the data it got from the server.)

Question: Is there any workaround for this, can I bypass this error? Why it works once I have logged in to the server via web browser? My app will be used locally in the same domain and it is not a public app.

jQuery Code: I have this code:

$('#mybutton').click(function(){
    $.ajax({
        type: "GET",
        url: "https://192.168.150.33/Api/loc?jsonpCallback=myCallback",
        dataType:"jsonp",
        async: false,
        beforeSend: function (request){
            request.withCredentials = true;
            request.setRequestHeader("Authorization", "Basic " + btoa('admin' + ":" + 'password'));
            },
        success: function(response){
                alert('hi');
            },
    });
});
function myCallback(response){
        data= JSON.stringify(response)
        alert(data)

Here is a post that addresses the same issue. As far as I understood this post according to it there is no solution. Any suggestions will be helpful. Thanks

Community
  • 1
  • 1
ρss
  • 5,115
  • 8
  • 43
  • 73
  • 3
    _“Why it works once I have logged in to the server via web browser?”_ – you have not “logged in to the server”, you have told your browser that it should ignore the fact that the certificate the server presented is not valid for this address in the future. And this “works” because that’s exactly what adding such an exception in your browser is _supposed_ to do. – CBroe Sep 08 '14 at 12:28
  • 1
    See also http://stackoverflow.com/questions/31058764/determine-if-ajax-call-failed-due-to-insecure-response-or-connection-refused which has a more detailed answer. – anre Feb 22 '17 at 19:04

2 Answers2

23

You cannot programmatically bypass the SSL error/warning behaviour implemented by the browser, if you could it would invalidate that security layer entirely.

If you are doing this locally/in a Windows domain environment simply add the self signed cert to the trusted store.

Additionally a certificate is (typically) issued to a domain name not an IP address so you will need to do the same in your Ajax call.

Alex K.
  • 171,639
  • 30
  • 264
  • 288
  • 1
    Can you please elaborate more on this `Additionally a certificate is (typically) issued to a domain name not an IP address so you will need to do the same in your Ajax call.` – ρss Sep 08 '14 at 12:07
  • If you look at the cert properties in the browser it will probably be *Issued To:* a fully qualified domain name, that's the name you need to use in your ajax call – Alex K. Sep 08 '14 at 12:09
  • How can I do that? I am confused. I have to use ip of my server in the url because it cannot be resolved to a name. nslookup doesn't gives the server name. Why do I need to do this in my ajax call for domain? – ρss Sep 08 '14 at 12:28
  • What is the value of the certs `Issued To:` ? – Alex K. Sep 08 '14 at 12:29
  • Assume it to be XYZ. It is also 3 letters in reality too. Basically the issued to: has sub fields like Common Name and Organization and so on. Tried with firefox. – ρss Sep 08 '14 at 12:30
  • If it does not resolve to 192.168.150.33 then you can fake it by adding an entry to your machines hosts file, or create a new certificate that has a domain name that does resolve to the .33 machine – Alex K. Sep 08 '14 at 12:32
  • Ok, If I just add the certificate to the trusted store it will solve my problem. Or is it compulsory to use the FQDN in my ajax call? If yes, then how to do it in the ajax call? – ρss Sep 08 '14 at 12:40
  • @all I am no more working on this problem so I am not sure if this answer will solve my problem! If some one can edit the answer and provide a good example then I would accept the answer. OR if some other user can comment if this answer worked for him/her then I can accept the answer! Thanks – ρss Jul 15 '15 at 15:12
  • 1
    "You cannot programmatically bypass the SSL error/warning behaviour implemented by the browser, if you could it would invalidate that security layer entirely." - Of course you can bypass this error. That's what the "proceed at your own risk" does. The user decides to bypass it and the browser, programmatically does it. In C# you are able to bypass certification errors two. Why not in javascript? – Thanasis Ioannidis Mar 15 '17 at 11:39
  • *programmatically* in this context clearly means **without user interaction** - if you count user interaction in the definition of "programmatically" then absolutely anything is programmatically possible, I could write code to bake a pie. – Alex K. Mar 15 '17 at 11:54
  • we can ignore the certificate authentication in curl request, then why can't we do in simple ajax call. – prashantsahni Jul 30 '17 at 12:10
  • > it would invalidate that security layer entirely. wrong, if you just want to connect to your own service and don't have to be scared over a MITM attack, its just fine to skip the CA pinning step and transmit over a encrypted channel. – BvuRVKyUVlViVIc7 Mar 02 '18 at 19:12
3

I could solve this problem adding this to my ajax call:

beforeSend: function (request) {
    request.withCredentials = false;
}

Isn't a recommended practice...

Enzo Gerola
  • 141
  • 1
  • 6
  • 2
    I don't think it works by this. `withCredentials` is about passing extra headers like cookies used for authentication. It's not about the Certificate of the server. – Unicornist Mar 09 '21 at 16:44