Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
I've got it refactored on my own local branch, but it's a big enough change I might submit it separately. I hate to say it, but working on this really makes my head hurt. I've got the as3httpdlib working on my local copy. I need a bit to clean it up -- should have it ready this evening or tomorrow. -Nick On Sun, Feb 8, 2015 at 2:58 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 8, 2015 8:52 AM, Alex Harui aha...@adobe.com wrote: On 2/6/15, 2:56 PM, Nicholas Kwiatkowski nicho...@spoon.as wrote: I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. Sounds good to me, go for it! And some refactoring of the main mxml file would be good, as you noted in one of your tweets :-) Thanks, Om -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Ok. Digging into this a bit more, the only time we will ever use HTTPS is during the Installer Config download and the MD5s. No reason why we need to be tunneling the Installer Config through HTTPS. All it contains is localization strings for the current version. MD5 paths (and all paths, really) are stored on the Apache DIST server, and is pulled down via HTTP. MD5s are actually pulled down using HTTPS, again at the Apache DIST server. This is valuable to protect via HTTPS. None of the Apache mirrors are serving files via HTTPS (if they are, they aren't telling Apache about it -- or Apache isn't cataloging it). Since nothing larger than 4k is being transferred over https, we don't have to worry about using a raw https session that screws with TCP Window sizes (essentially, if you try to create TCP packets too large in one shot, you will get fragments, which causes major overhead and can cause the download/upload speed to decrease by 60%). The proxy thing would still need to be addressed -- but those are becoming more and more rare. No idea how many people still use a proxy server, but they would be affected by this unless we offer a configuration option for it. On a side note -- if we are really worried about Man-In-The-Middle attacks, the two things we should be protecting are the initial configuration download (http://flex.apache.org/installer/sdk-installer-config-4.0.xml) and the MD5s. Everything else is checked via checksums, so we are safe there. We currently don't pull the sdk-installer-config-4.0.xml file off HTTPS, and maybe we should. I'd vote for dropping /dist/flex/4.14.0/binaries/apache-flex-sdk-installer-config.xml from being pulled over https. I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. -Nick On Fri, Feb 6, 2015 at 11:16 AM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 6, 2015 7:37 AM, Alex Harui aha...@adobe.com wrote: On 2/6/15, 1:11 AM, Tom Chiverton t...@extravision.com wrote: On 05/02/15 16:56, Alex Harui wrote: What do others think? IMO, for 3.2 we should just do the swap of an AS3 native HTTP implementation and not switch our urls to HTTP or add some checkbox. Then we can get better data on how many problems that change solved or if it introduces new issues. Not that I’m volunteering to do that work. I vote for doing this. As you say, there's a chance everything will Just Work with it. Well, Nick is saying there will be other issues. Om, have you run into the issues Nick brings up? No, I have not. But I've never had to deal with large downloads using this library. In any case, I still think we should give it a try. Thanks, Om -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/6/15, 2:56 PM, Nicholas Kwiatkowski nicho...@spoon.as wrote: I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. Sounds good to me, go for it! -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
FWIW, when I tried to implement a socket server for Flash, I ran into more issues than with URLLoader. Although, I don’t remember any details. On Feb 8, 2015, at 6:50 PM, Alex Harui aha...@adobe.com wrote: On 2/6/15, 2:56 PM, Nicholas Kwiatkowski nicho...@spoon.as wrote: I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. Sounds good to me, go for it! -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 8, 2015 8:52 AM, Alex Harui aha...@adobe.com wrote: On 2/6/15, 2:56 PM, Nicholas Kwiatkowski nicho...@spoon.as wrote: I have some time to implement the as3httpdlib this weekend if that is the direction we want to go. Sounds good to me, go for it! And some refactoring of the main mxml file would be good, as you noted in one of your tweets :-) Thanks, Om -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 05/02/15 16:56, Alex Harui wrote: What do others think? IMO, for 3.2 we should just do the swap of an AS3 native HTTP implementation and not switch our urls to HTTP or add some checkbox. Then we can get better data on how many problems that change solved or if it introduces new issues. Not that I’m volunteering to do that work. I vote for doing this. As you say, there's a chance everything will Just Work with it. Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/6/15, 1:11 AM, Tom Chiverton t...@extravision.com wrote: On 05/02/15 16:56, Alex Harui wrote: What do others think? IMO, for 3.2 we should just do the swap of an AS3 native HTTP implementation and not switch our urls to HTTP or add some checkbox. Then we can get better data on how many problems that change solved or if it introduces new issues. Not that I’m volunteering to do that work. I vote for doing this. As you say, there's a chance everything will Just Work with it. Well, Nick is saying there will be other issues. Om, have you run into the issues Nick brings up? -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 6, 2015 7:37 AM, Alex Harui aha...@adobe.com wrote: On 2/6/15, 1:11 AM, Tom Chiverton t...@extravision.com wrote: On 05/02/15 16:56, Alex Harui wrote: What do others think? IMO, for 3.2 we should just do the swap of an AS3 native HTTP implementation and not switch our urls to HTTP or add some checkbox. Then we can get better data on how many problems that change solved or if it introduces new issues. Not that I’m volunteering to do that work. I vote for doing this. As you say, there's a chance everything will Just Work with it. Well, Nick is saying there will be other issues. Om, have you run into the issues Nick brings up? No, I have not. But I've never had to deal with large downloads using this library. In any case, I still think we should give it a try. Thanks, Om -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Hi, Looks like it is MIT license so ok to use. It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1] Justin 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
RE: [Installer - FLEX-34251] Is SSK needed for load installer config?
+1 to http vs https. -Mark -Original Message- From: omup...@gmail.com [mailto:omup...@gmail.com] On Behalf Of OmPrakash Muppirala Sent: Wednesday, February 04, 2015 11:11 AM To: dev@flex.apache.org Cc: Paul Hastings Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer config? On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Very weird. This time when I hit the link I ended up at https://code.google.com/p/as3httpclient/ Which does show BSD, but last time I ended up at https://code.google.com/p/as3httpclientlib/ Which shows MIT. I guess there is more than one version of AS3 Native HTTP. Whoever works on it can pick one or the other as long as the LICENSE is updated correctly. -Alex On 2/5/15, 7:30 AM, Erik de Bruin e...@ixsoftware.nl wrote: Weird, I see BSD instead of MIT... Maybe it shows one for the US, and another for the world? EdB On Thu, Feb 5, 2015 at 4:25 PM, Alex Harui aha...@adobe.com wrote: On 2/5/15, 12:23 AM, Justin Mclean jus...@classsoftware.com wrote: Hi, Looks like it is MIT license so ok to use. It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1] Ugh. Did you find BSD somewhere? That could mean the authors didn’t handle their IP carefully. When I go to their site [2] on the left column it clearly says “MIT License” and on GitHub the License.txt file [3] looks like MIT to me. Or am I missing something. -Alex Justin 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps [2] https://code.google.com/p/as3httpclient/ [3] https://github.com/gabriel/as3httpclient/blob/master/License.txt -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Weird, I see BSD instead of MIT... Maybe it shows one for the US, and another for the world? EdB On Thu, Feb 5, 2015 at 4:25 PM, Alex Harui aha...@adobe.com wrote: On 2/5/15, 12:23 AM, Justin Mclean jus...@classsoftware.com wrote: Hi, Looks like it is MIT license so ok to use. It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1] Ugh. Did you find BSD somewhere? That could mean the authors didn’t handle their IP carefully. When I go to their site [2] on the left column it clearly says “MIT License” and on GitHub the License.txt file [3] looks like MIT to me. Or am I missing something. -Alex Justin 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps [2] https://code.google.com/p/as3httpclient/ [3] https://github.com/gabriel/as3httpclient/blob/master/License.txt -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/5/15, 12:23 AM, Justin Mclean jus...@classsoftware.com wrote: Hi, Looks like it is MIT license so ok to use. It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1] Ugh. Did you find BSD somewhere? That could mean the authors didn’t handle their IP carefully. When I go to their site [2] on the left column it clearly says “MIT License” and on GitHub the License.txt file [3] looks like MIT to me. Or am I missing something. -Alex Justin 1. http://www.apache.org/dev/licensing-howto.html#permissive-deps [2] https://code.google.com/p/as3httpclient/ [3] https://github.com/gabriel/as3httpclient/blob/master/License.txt
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
I'd recommend against using the client to bypass the windows settings. If we do, the we need to expose properties like Proxy Settings, and need to deal with locations that disallow large TCP window sizes (for example, users on ATT DSL have to force their TCP Window size to 1440 instead of 1500 which is the OS default). We would need to package in an ANE to read the registry settings for these settings if we plan on doing the download raw. -Nick On Wed, Feb 4, 2015 at 9:12 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 5:33 PM, Alex Harui aha...@adobe.com wrote: Sounds reasonable. The AIR downloading code via URLLoader just seems sensitive. Do we know if we use AIR sockets and build our own http download protocol on top if it will bypass the IE libraries underneath? Yes, it will. I use the as3httpclient in my projects and it should work fine and bypass any browser based settings. Thanks, Om -Alex On 2/4/15, 11:03 AM, Nicholas Kwiatkowski nicho...@spoon.as wrote: An option we could use is to try https first. If it fails, present the user to drop down to http. This should take care of all use cases, yet still allow the user control the security level... -Nick On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
I’m going to try to see if I can capture where we are: At least one person got stuck because AIR on Windows uses IE/OS settings that needed tweaking otherwise it blocked an HTTPS download. Yet of the list of common failures, many others failed after getting past at least two HTTPS downloads. We have several votes to not use https at all. There is still a chance that now or someday, some download that first attempts http will fail or be redirected to https. We have an option to replace URLLoader with an AS3 native HTTP implementation. AIUI, there is a chance that will just solve everything and we won’t need to care about HTTP vs HTTPS any more. Can someone confirm? A new idea that popped into my head is having a checkbox in the Installer where you can select to use HTTPS. Is that practical? IMO, we’d default to HTTP and folks who are concerned would opt in to HTTPS. What do others think? IMO, for 3.2 we should just do the swap of an AS3 native HTTP implementation and not switch our urls to HTTP or add some checkbox. Then we can get better data on how many problems that change solved or if it introduces new issues. Not that I’m volunteering to do that work. -Alex On 2/5/15, 6:06 AM, Kessler CTR Mark J mark.kessler@usmc.mil wrote: +1 to http vs https. -Mark -Original Message- From: omup...@gmail.com [mailto:omup...@gmail.com] On Behalf Of OmPrakash Muppirala Sent: Wednesday, February 04, 2015 11:11 AM To: dev@flex.apache.org Cc: Paul Hastings Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer config? On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 04/02/15 17:38, Erik de Bruin wrote: Only if you think a man-in-the-middle attack that hijacks both the download and the MD5 request is more likely than the bad guys having backdoor access to the servers actually hosting those files. And given the fact that those servers reside in the US and that Snowden's main revelation wasn't about a foreign power having access to nearly every bit in the US, I say we don't worry too much about it;-) If people's Windows settings are incompatible with modern web sites (against Microsoft advice) then they will encounter more and more problems with time. We just happen to be seeing some fall out. I still think we should just document it, and suggest checking the settings when we get failures on Windows, and as a plan B look at the AS3-native HTTPS implementation that doesn't use the underlying O/S. I wont veto any change to HTTP though; life is too short and I'm out numbered, Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/5/2015 4:53 PM, Tom Chiverton wrote: If people's Windows settings are incompatible with modern web sites people as in people who don't normally use IE. chrome reaches the config file site just fine (ditto for firefox). as justin pointed out most developers aren't big fans of IE, so this probably isn't that rare a case. (against Microsoft advice) then they will encounter more and more problems with time. not if they don't use IE. I still think we should just document it, and suggest checking the settings when we get failures on Windows, and as a plan B look at the just documenting this would be a fine solution as well.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Yes. This is purely an SSL issue in regards to new TLS certificates (other cyptro methods were proven to be weak, so many sites/browsers aren't supporting them anymore). -Nick On Wed, Feb 4, 2015 at 11:08 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
However, we do need to verify that hitting HTTP doesn't cause too many redirects (possibly to HTTPS), as I seem to remember that redirects sometimes cause trouble for AIR and not to mention that we'd be back to square one if that would happen... EdB On Wed, Feb 4, 2015 at 5:12 PM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/4/15, 9:14 AM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 9:03 AM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -1. We are already doing MD5 checks on downloaded artifacts. I am not sure what benefit https is going to add here. It looks like we currently pull our MD5 files over https. So changing to pull the installer config files over http probably just means folks will get stuck on the MD5 fetch. Does changing the MD5 download to HTTP make it unsecure? -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
+1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -1. We are already doing MD5 checks on downloaded artifacts. I am not sure what benefit https is going to add here. It looks like we currently pull our MD5 files over https. So changing to pull the installer config files over http probably just means folks will get stuck on the MD5 fetch. Does changing the MD5 download to HTTP make it unsecure? Only if you think a man-in-the-middle attack that hijacks both the download and the MD5 request is more likely than the bad guys having backdoor access to the servers actually hosting those files. And given the fact that those servers reside in the US and that Snowden's main revelation wasn't about a foreign power having access to nearly every bit in the US, I say we don't worry too much about it ;-) EdB -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 4, 2015 9:03 AM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -1. We are already doing MD5 checks on downloaded artifacts. I am not sure what benefit https is going to add here. Thanks, Om -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
RE: [Installer - FLEX-34251] Is SSK needed for load installer config?
I just tried it out with v3.2 installer by changing the only place that actually calls an https other than one call to goog closure for FlexJS and I didn't get any errors during the install. I did see in the log file and Charles a couple other https urls. From the log Downloading 2.2.zip from: https://github.com/swfobject/swfobject/archive From Charles https://github.com:443 https://codeload.github.com:443 https://fonts.googleapis.com:443 https://fonts.gstatic.com:443 The quick fix is to change line 50 in 'MD5CompareUtil.as' from public static const MD5_DOMAIN:String = https://www.apache.org/dist/;; to public static const MD5_DOMAIN:String = http://www.apache.org/dist/;; This is definitely the easiest fix to apply if no one else has any problems with installing. Maybe the people that were having issues before could give that a try and let us know if that does indeed fix the issue. Neil -Original Message- From: Erik de Bruin [mailto:e...@ixsoftware.nl] Sent: February-04-15 9:13 AM To: dev@flex.apache.org Cc: Paul Hastings Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer config? +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don't have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
[Installer - FLEX-34251] Is SSK needed for load installer config? (was: Re: sdk 4.14.0 100% install failures)
Please continue discussion on this issue in this thread. Thanks, EdB On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin e...@ixsoftware.nl wrote: Good find! This issue matches the following JIRA issue: https://issues.apache.org/jira/browse/FLEX-34251 Please use that to work on this bug. I also changed the subject to make the reference more obvious ;-) EdB On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 6:36 AM, Justin Mclean wrote: Hi, I just tried it on windows, everything went fine without errors. IE8 (64 bit) on windows 7 failed to connect to the apache-flex-sdk-installer-config.xml URL, getting There is a problem with this website's security certificate.. error. i went into tools==advanced==security turned on TLS 1.1 TLS 1.2. IE8 could connect ok after that. next tried the installer again holy crap worked ok first time. this is disturbing at a couple of levels. - i suppose IE is as good a choice as any to pick up internet options for consumer apps but for devs its kind of out in left field. is this documented anyplace? if not, somebody should probably spread the word. - the folks who accounted for the 93% windows successful installs need to turn in their nerd cards for having a working IE browser ;-) -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
An option we could use is to try https first. If it fails, present the user to drop down to http. This should take care of all use cases, yet still allow the user control the security level... -Nick On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config? (was: Re: sdk 4.14.0 100% install failures)
Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. -Nick On Wed, Feb 4, 2015 at 10:30 AM, Tom Chiverton t...@extravision.com wrote: On 04/02/15 15:23, Alex Harui wrote: I wonder if on Windows, the Installer should pop an alert when finding a download error and suggest that folks use Internet Explorer to hit the failing download. At the very least, it'll provide an immediate data point if they report it, and may aid people in self-diagnosing the issue. TLS 1.x is fast becoming mandatory for SSL connections. This page http://blogs.msdn.com/b/kaushal/archive/2011/10/02/ support-for-ssl-tls-protocols-on-windows.aspx has a chart showing TLS support by O/S, and indicates Windows 7 should support it, I assume by default. Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/4/2015 10:30 PM, Tom Chiverton wrote: TLS 1.x is fast becoming mandatory for SSL connections. This page http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx has a chart showing TLS support by O/S, and indicates Windows 7 should support it, I assume by default. while it may support those options, they aren't turned on by default. if you take a look at the image Supported SSL protocols under “Advanced” tab of IE 9 on Windows 7 from that article you'll what i saw when i fixed this. 1.1 1.2 were turned off.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Sounds reasonable. The AIR downloading code via URLLoader just seems sensitive. Do we know if we use AIR sockets and build our own http download protocol on top if it will bypass the IE libraries underneath? -Alex On 2/4/15, 11:03 AM, Nicholas Kwiatkowski nicho...@spoon.as wrote: An option we could use is to try https first. If it fails, present the user to drop down to http. This should take care of all use cases, yet still allow the user control the security level... -Nick On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 4, 2015 5:33 PM, Alex Harui aha...@adobe.com wrote: Sounds reasonable. The AIR downloading code via URLLoader just seems sensitive. Do we know if we use AIR sockets and build our own http download protocol on top if it will bypass the IE libraries underneath? Yes, it will. I use the as3httpclient in my projects and it should work fine and bypass any browser based settings. Thanks, Om -Alex On 2/4/15, 11:03 AM, Nicholas Kwiatkowski nicho...@spoon.as wrote: An option we could use is to try https first. If it fails, present the user to drop down to http. This should take care of all use cases, yet still allow the user control the security level... -Nick On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui aha...@adobe.com wrote: In another thread, I think Tom C says we should be using https to deliver all of our bits, which we aren’t today. What do folks think? -Alex On 2/4/15, 8:37 AM, Alex Harui aha...@adobe.com wrote: I thought the change to http was going to be in the sdk-installer-config-4.0.xml file but it turns out it isn’t. When the artifact is coming from the mirrors, the Installer uses https to get MD5 and the apache-flex-sdk-installer-config.xml file. Should we use http to get the MD5s as well? If so, that is a simple change we can test in the nightly builds. -Alex On 2/4/15, 8:12 AM, Erik de Bruin e...@ixsoftware.nl wrote: +1 here as well, especially since that would be an 'easyfix' ;-) EdB On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 8:09 AM, Alex Harui aha...@adobe.com wrote: Another question for you guys, since I don’t have any expertise in this area, would we in fact skirt around this by hitting http for more of our downloads instead of https? +1 to hitting http by default. Thanks, Om -Alex On 2/4/15, 8:05 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote: Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made available in XP, if you turned it on. 1.0 was on by default, 1.1 1.2 (guess the culprit here) weren't. -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/4/15, 11:41 PM, piotrz piotrzarzyck...@gmail.com wrote: Hi Om, Alex, So can we just use this library ? Any license objections ? Or it is too big and better write our own logic ? Looks like it is MIT license so ok to use. -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Hi Om, Alex, So can we just use this library ? Any license objections ? Or it is too big and better write our own logic ? Om, This is right link, because I see couple of links in google: https://code.google.com/p/as3httpclient/ Piotr - Apache Flex PMC piotrzarzyck...@gmail.com -- View this message in context: http://apache-flex-development.247.n4.nabble.com/Installer-FLEX-34251-Is-SSK-needed-for-load-installer-config-was-Re-sdk-4-14-0-100-install-failures-tp44913p44955.html Sent from the Apache Flex Development mailing list archive at Nabble.com.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On 2/4/15, 6:12 PM, OmPrakash Muppirala bigosma...@gmail.com wrote: On Feb 4, 2015 5:33 PM, Alex Harui aha...@adobe.com wrote: Sounds reasonable. The AIR downloading code via URLLoader just seems sensitive. Do we know if we use AIR sockets and build our own http download protocol on top if it will bypass the IE libraries underneath? Yes, it will. I use the as3httpclient in my projects and it should work fine and bypass any browser based settings. Any volunteers to try this out? It would be a big deal if it made a noticeable dent in the number of failed installs. -Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config? (was: Re: sdk 4.14.0 100% install failures)
The IE 'internet options' are actually the Windows internet options, it's a left over from when IE was illegally tied to Windows. The question is what are the default settings there - if the defaults are for those options to be on we don't need to worry ? Tom On 04/02/15 09:08, Erik de Bruin wrote: Please continue discussion on this issue in this thread. Thanks, EdB On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin e...@ixsoftware.nl wrote: Good find! This issue matches the following JIRA issue: https://issues.apache.org/jira/browse/FLEX-34251 Please use that to work on this bug. I also changed the subject to make the reference more obvious ;-) EdB On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 6:36 AM, Justin Mclean wrote: Hi, I just tried it on windows, everything went fine without errors. IE8 (64 bit) on windows 7 failed to connect to the apache-flex-sdk-installer-config.xml URL, getting There is a problem with this website's security certificate.. error. i went into tools==advanced==security turned on TLS 1.1 TLS 1.2. IE8 could connect ok after that. next tried the installer again holy crap worked ok first time. this is disturbing at a couple of levels. - i suppose IE is as good a choice as any to pick up internet options for consumer apps but for devs its kind of out in left field. is this documented anyplace? if not, somebody should probably spread the word. - the folks who accounted for the 93% windows successful installs need to turn in their nerd cards for having a working IE browser ;-) -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config? (was: Re: sdk 4.14.0 100% install failures)
Hi Paul, Thanks for finding that. I wonder if on Windows, the Installer should pop an alert when finding a download error and suggest that folks use Internet Explorer to hit the failing download. Thoughts? -Alex On 2/4/15, 1:08 AM, Erik de Bruin e...@ixsoftware.nl wrote: Please continue discussion on this issue in this thread. Thanks, EdB On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin e...@ixsoftware.nl wrote: Good find! This issue matches the following JIRA issue: https://issues.apache.org/jira/browse/FLEX-34251 Please use that to work on this bug. I also changed the subject to make the reference more obvious ;-) EdB On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings paul.hasti...@gmail.com wrote: On 2/4/2015 6:36 AM, Justin Mclean wrote: Hi, I just tried it on windows, everything went fine without errors. IE8 (64 bit) on windows 7 failed to connect to the apache-flex-sdk-installer-config.xml URL, getting There is a problem with this website's security certificate.. error. i went into tools==advanced==security turned on TLS 1.1 TLS 1.2. IE8 could connect ok after that. next tried the installer again holy crap worked ok first time. this is disturbing at a couple of levels. - i suppose IE is as good a choice as any to pick up internet options for consumer apps but for devs its kind of out in left field. is this documented anyplace? if not, somebody should probably spread the word. - the folks who accounted for the 93% windows successful installs need to turn in their nerd cards for having a working IE browser ;-) -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl -- Ix Multimedia Software Jan Luykenstraat 27 3521 VB Utrecht T. 06-51952295 I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config? (was: Re: sdk 4.14.0 100% install failures)
On 04/02/15 15:23, Alex Harui wrote: I wonder if on Windows, the Installer should pop an alert when finding a download error and suggest that folks use Internet Explorer to hit the failing download. At the very least, it'll provide an immediate data point if they report it, and may aid people in self-diagnosing the issue. TLS 1.x is fast becoming mandatory for SSL connections. This page http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx has a chart showing TLS support by O/S, and indicates Windows 7 should support it, I assume by default. Tom