21

Is there a way to check in JavaScript if given a host its SSL certificate is valid? (non blocking)

In my case, I want to display: "you can also use https://.." if via JavaScript I can make a request to https://my_url without being asked to accept an untrusted certificate.

Can this be done asynchronously?

Pang
  • 9,564
  • 146
  • 81
  • 122
MB.
  • 4,167
  • 8
  • 52
  • 79
  • 1
    The question is OK, but I see no sensible answer. I think what was expected was a recipe like - make an AJAX request to the server, which may get blocked if the certificate is untrusted (and not block the browser window). When that happens, display instructions for downloading the CA certificate, if it is missing. – Tomasz Gandor Aug 01 '14 at 09:50
  • I have a different use case for this where I have just a few users who have reported that the browser is telling them the site is insecure. My suspicion is that it something with their browser - like an old version of IE. I would like to detect if my cert is invalid for someone and if it is have diagnostics sent ansyncronsly back to my server. Seems there's not a standardized way to do this. – Ecropolis Oct 31 '17 at 18:21

7 Answers7

10

Take a look here: https://support.mozilla.org/pl/questions/923494

<img src="https://the_site/the_image" onerror="redirectToCertPage()">

This solution is tested and working in current versions of FF and Chrome (as of 2022):

<script> var sslCertTrusted = false; </script>
<script src="https://example.com/ssltest.js"></script>
<script> 
    if (!sslCertTrusted) 
    {
        alert('Sorry, you need to install the certificate first.');
        window.location.replace('http://example.com/cert_install_instructions/');
    }
    else
    {
        // alert('Redirecting to secure connection')
        window.location.replace('https://example.com/');
    }
<script>

You of course need to make your web server return this code under the URL https://example.com/ssltest.js:

sslCertTrusted = true;

I'm not exactly sure about the details. But I've seen similar technology used to detect adblocking etc. You may need to piggyback on the window object maybe, if the variable can't be modified by another script, but generally making the above proof of concept work is left as an exercise to the reader.

jdhildeb
  • 3,322
  • 3
  • 17
  • 25
Tomasz Gandor
  • 8,235
  • 2
  • 60
  • 55
  • 1
    This works in current versions of FF and Chrome in 2022. It is a good solution for in-house apps which use a local certificate authority that require a one-time install in the browser. – jdhildeb Mar 23 '22 at 15:06
4

What I've found up to now - it is possible with Firefox, don't know yet about other browsers:

https://developer.mozilla.org/En/How_to_check_the_security_state_of_an_XMLHTTPRequest_over_SSL

Zrin
  • 49
  • 1
  • 1
  • 3
    no - "you can only call it from a browser extension or from a XULRunner application" – Malx Oct 26 '10 at 16:24
3

The straight answer is no. Javascript does not provide any means of validating certificates. This is a job left to the browser.

A better approach to this problem is from the server side. If you are controlling the site, than you can render down a variable on the page with information gleaned on the server side.

In .Net something like

var canSecure = <%= MySiteHasSsl ? "true" : "false" %>;
if (canSecure) {
    if (confirm("This site supports SSL encryption. Would you like to switch to a secure connection?")) {
        location.href = "https://mysite.com";
    }
}
Joel
  • 19,175
  • 2
  • 63
  • 83
1

I'm not quite sure what your use case is. If you are just trying to "check ahead of time" before you provide a link to someone for another website then the other answers here will be more relevant than mine.

If you are expecting mysite.com to use an SSL certificate that isn't trusted by default in the browser but you have another way of knowing it should be trusted, then you could use a JavaScript TLS implementation to make cross-domain requests to that other site. However, this requires that your website be served on https and trusted in the browser to begin with and the other site to provide a Flash cross-domain policy file.

If this sounds anything like what you want to do, check out the open source Forge project at github:

http://github.com/digitalbazaar/forge/blob/master/README.md

Franjo Markovic
  • 128
  • 1
  • 6
dlongley
  • 2,078
  • 14
  • 17
1

Useful notice: navigator.clipboard will be undefined on Chrome browsers if there's no valid SSL certificate.

Boa
  • 19
  • 1
  • 1
    tested on chrome, `navigator.clipboard` is still there when site has invalid cert – Dee Jun 15 '21 at 02:55
0

You could run a server elsewhere that handles certificate checks based on whatever you want, then your javascript application sends a request to that server asking for a checkup. This does require that you have at least one server somewhere in the world that you can trust.

A query of this nature can be done in the background quite easily.

Tel
  • 217
  • 2
  • 3
0

The question doesn't make sense. You can't get the server's SSL certificate without opening an SSL connection to it, and once you've done that, telling the user they can do that too is a bit pointless.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • 7
    No what? You can't get the server's SSL certificate without opening an SSL connection. If the user accepted the certificate he already had the chane to look at it. What's your point? – user207421 Oct 27 '10 at 07:51