Certificate Support in AIR for Linux

In an earlier post I explained how to use TLS client authentication for AIR applications on Windows and Mac OS. Commenter Arlen asked how to do the same on Linux; unfortunately, TLS client authentication is not supported in AIR for Linux.

The first problem is that, unlike Windows and Mac OS, Linux doesn’t have a standardized, easily accessible certificate store available. Instead, AIR bundles its own certificate stores. (See this Adobe knowledge base article for information about managing those certificate stores.) Other Linux applications typically do the same. Even if client authentication was supported, it would have be configured separately for AIR applications versus other applications, thus making it much less useful than on Windows or Mac OS.

The second problem is that Linux doesn’t have a standardized, easily accessible HTTP stack that supports TLS client authentication—instead, applications have to bundle their own implementation. That, of course, doesn’t make it impossible for AIR to add this support, but it means it requires a non-trivial engineering investment.

To date, these two issues have kept us from adding TLS client authentication support on Linux. If you’d like to see it added, I encourage you to vote for it on the Adobe AIR Ideas site.

2 Responses to Certificate Support in AIR for Linux

  1. Alberto Albericio says:

    Hi Oliver,

    We, at Codeoscopic, are Adobe Solution Partners and we’re currently developing an Air application to be installed on some linux( Ubuntu ) boxes( kiosks ). This application must follow strict security patterns to ensure the authentication of both the client and server( where services run ). The Adobe Air client must authenticate against the server and the server should authenticate against the Adobe Air client.

    I’ve read some of your articles on Adobe Air TLS authentication and this seems to be possible if the app runs on Windows but I’m not sure if that same app runs under Linux.

    Could help us find the best strategy to protect this communication between client and server?

    Thanks in advance and for your time.

    Alberto

    • Oliver Goldman says:

      It is possible on all platforms to have your client authenticate the server it connects to using TLS. However, having the server authenticate the client, at least using the built-in TLS support, will work only on Mac OS and Windows.
      To accomplish this on Linux, you’ll need to create your own equivalent mechanism. I’m sure such thing can be done, although it probably requires substantial work.
      Perhaps the most straightforward approach would be to use the TLS mechanism, but implement it in ActionScript. This would involve distributing a private key to each client, as is also necessary for Mac OS and Windows. Then you’d have to implement the TLS protocol check in ActionScript, perhaps using a library like as3crypto, and provide it with access to that key.