4 Replies Latest reply on Apr 4, 2016 9:42 PM by chrisqiu RSS
    chrisqiu Newbie

    No SSL certification in C SDK

    Just a simple method to disable SSL certification in the SteamSensor sample in C SDK, for those who wants to use that in development mode or show to customer, as you may know use twApi_DisableCertValidation() function will not work:

    1. Locate the src/config/twConfig.h in the SDK file, add:

    #define USING_NO_TLS

    #undef USING_AXTLS

    right after #define OFFLINE_MSG_STORE 1, the result should be like:

    2016-3-2 16-53-39.png

    2. Locate  the src/tls/twTls.h in the SDK file, modify #include TW_TLS_INCLUDE to include more condition:

    #if defined USING_AXTLS

    #include "twAxTls.h"

    #elif defined USING_NO_TLS

    #include "twNoTls.h"

    #else

    #include TW_TLS_INCLUDE

    #endif

    and the result should be like:

    2016-3-2 16-57-08.png

    After all these are done, compile your code and start, you will connect to your Thingworx server without SSL.

      • Re: No SSL certification in C SDK
        pchung Collaborator

        Although we provide this capability to make development easier, never deploy the EMS in production without SSL.

        • Re: No SSL certification in C SDK
          jcanosa Explorer

          Why do you say twApi_DisableCertValidation() does not work?  What that does is prevent the checking of the certificate entries to ensure they match those that are set using twApi_SetX509Fields().


          If you want to disable checking valid signing authority of the certificate so that you can use self-signed certificates for demo purposes, you should use the function twApi_SetSelfSignedOk(). 

           

          If you want to induce MAJOR SECURITY RISKS by disabling encryption altogether then you would use USING_NO_TLS.  This should only be used in very limited circumstances where the edge and ThingWorx server are deployed inside a firewall within the same security domain and where deep packet inspection of all traffic is a requirement (i.e. some military installations may require that)

           

          "It's just a demo" is never an excuse to not use encryption. The ThingWorx server ships with self-signed certificates (at least it used to, even if not, it is a simple single command to create one), so using TLS requires very, very little extra effort.

            • Re: No SSL certification in C SDK
              chrisqiu Newbie

              Yes, you are right, not using ecryption shouldn't be recommanded.

              I have done several tests with the combination of twApi_DisableCertValidation() and twApi_SetSelfSignedOk(), but seems that doesn't work if you don't use SSL on Thingworx server side, so my purpose is just to give a way for those who doesn't want to use SSL at server side for presales demo.