This is a MacOS X app that is serving a web page to various mobile or just regular web servers. I do plan to replace, or at least augment the web interface to the app with an actual iOS app. I have started on that several times but the iOS framework is not quite up to speed for me yet, I cant port my data transfer classes yet without completely re-writing them because of the inability of a memory block backed binary stream to automatically expand itself as you write to it, but thats another post At that point I will be making a direct socket connection from the iOS app to the macOS app and I do understand that is coming too.
Im a little concerned about that and the requirement for SSL if it requires a signed certificate. There is no central server in this case, the server is your own mac. Purchasing a single signed certificate for a server app is one thing and not that horrible, requiring that every user of our software also purchase a signed certificate is not acceptable. I need to be able to provide a safe connection to them without having to spend that extra money and go through a lengthy and painful install process which it will be no matter how much I automate it.
The security improvement when talking from my app to my own program would be negligible anyway. The fist time you connect to your server with the self signed certificate youll get that nice warning from the system that this cert is not trusted and do you want to trust it. You say yes that you do. Now if someone was running a man in the middle attack they would not have my certificate, they would have another certificate, so iOS would ask me if I wanted to trust it again. If that message pops up when connecting to your own server remotely then you know youre being messed with. If it doesnt then the man in the middle is using a signed certificate, which cant be signed to your DNS address so that will cause an error popup, or they are using a non-signed cert that will popup the other message. I dont believe that there is a way to do this that doesnt cause a message from the OS saying that the cert is either invalid because the DNS name doesnt match or that its a new cert that you need to decide to trust. So there is no benefit to this sort of connection from a signed certificate anyway as I currently understand such things.
Its doubly strange to me that iOS and Safari would limit only movie files to signed certs, but accept all other kinds of web traffic. The web sites operate just fine over the self signed cert, only serving up movie files causes this issue.
While I would prefer to use the built in flash player that is already in my xojo app by just checking if the client is safari and the connection is secure and then turning on moviePlayer1.useFlash = true or something, since there doesnt seem to be much interest in that at the moment Im experimenting with using open source or third party players. Most of the ones Ive seen so far have so many dependencies that Im unable to get them to work from an HTTPS connection anyway. But I only wasted an hour or so yesterday looking into that so I havent experimented with them all yet. There are several open source ones that look pretty good and would do all that I need to do. I would wrap them into a WebAPI control fairly easily if I can just embed all the dependencies into the app itself for serving rather than getting them from somewhere else.
Back to SSL Im looking at the letsencrypt folks which do it for free. There is a command line tool you can install with Brew that will do the creation of the signed certificate and even the install of it for you into known server types. It will also do a standalone server creation that just leaves you the files for your own setup which is what I would have to do for a standalone xojo web app. If the binary could be included in my program I could use their service probably. The install process would require that any port 80 server my users were running be shut down so that it can temporarily start one and verify that your dyndns name actually resolves to the server youre trying to create a certificate for. But I could automate that process as I currently automate the creation of the self signed certificate for them, just enter the dyndns name and click create and all the connections can then use the cert. If their license is such that I cant do that then I would have to tell my users that they need to install brew and this one command line tool through it and just ugh, I might be able to get away with that for those that wanted a signed cert for their own security, but I cant make that a requirement of just running the app at all if iOS and OSX require a signed cert someday completely. I would have to switch to a server based ipsec tunnel passthrough system where the https signed cert was installed on my servers and then forward the data back and forth to the clients that way. Thats how a lot of other systems like ours actually function, but one of our things is that we dont rely on any cloud connection, you can manage it all yourself. Im impressed by the number of folks that prefer a dyndns address to their own system as opposed to going through the cloud. That may not be possible in the future if Apple really does shut out any other kinds of encryption and requires what they consider a valid signed certificate. Perhaps we could become our own dyndns host for our users and run our own intermediate certificate hosting system. That would require that the users install an intermediate certificate into their keychains, but that would be less of a burden than some of these options. But again, I would have to become a cloud service and I really just dont want to do that if there are any other options.
But all that worry and concern is for the future, right now I want to be able to serve up movies to web clients on just the regular MacOS browser through an https connection on a self signed certificate. I cant do that with HTML5 video, but I MIGHT be able to do it with the flash player. I am going to see if I can make Safari send an alternate browser identification string in a moment and make the xojo app think it needs the flash player just to see if that even works. That didnt occur to me yesterday, but I might be able to see if its worth the effort easily that way.
TL:DR i know but this is such a pain in the neck and I cant figure out what we gain by having to go through such acrobatics.