Finished coding a simple Chat Server in erlang that uses gen_tcp (simple sockets) and an Android Client app for TESTING.
Now i need to implement SSL/TLS.
I kept connection (Sending and Receiving Data) part in a single module, a few lines of code that i can upgrade easily.
I have no prior experience of implementing SSL/TLS so i am confused here (like a lot).
Questions - Testing part (localhost):
I can generate self signed certificate by:
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
which results in two files, key.pem and cert.pem, My understanding is that one is Server certificate and the other is the key file but
- Where is Certificate Authority file? Do i need to generate one? Do i need one?
- Are they enough to test my app, to make it ready for a release?
- How do i turn my simple android socket into a secure socket? (kotlin preferred)
- Can i trust my self signed certificate programmatically (and only that one) or do i need to install it on my device (and any other device like a friend's device)
Questions - Production part:
-
SHOULD i use my self signed certificate on my server? Do i need to create a CA? Pros and Cons of using self signed certificate?
-
Can i use free certificates like from letsencrypt forever? Pros and Cons?
Finally:
-
Do i need a certificate for Client too? Do i need to provide some sort of key[s] to Android app?
-
What can i do to protect my app from MITM (or protect my app from revealing what is being sent/received to and from server) for example THIS TYPE OF ATTACK
from SSL/TLS connection from android to a Custom Socket Server
No comments:
Post a Comment