Re: Https, sslVerification, certificates - huh?
Hi, One question about SSL and shared hostings plans. My host show a shared SSL with mySQL databases, but I don't know how test this kind of connection. Any idea or experience? Salut, Josep -- View this message in context: http://runtime-revolution.278305.n4.nabble.com/Https-sslVerification-certificates-huh-tp3009916p3016189.html Sent from the Revolution - User mailing list archive at Nabble.com. ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Https, sslVerification, certificates - huh?
Attention web gurus, I¹m probably going about it all wrong but I¹m still struggling to retrieve data from a series of secure (https) websites. Each of these sites requires a username and password and I can post these along with the url and am able to retrieve the expected result but ONLY if I set libURLSetSSLVerifaction to false. If I don¹t do this I get nothing back from the url a blank result. While setting libURLSetSSLVerifaction to false gets things moving I suppose? that doing so means the transaction isn¹t really secure?? I¹ve tried setting the sslCertificates (by first loading the sites in Firefox and exporting the certificates) but that doesn¹t seem to work. I¹m moving well past my comfort zone with this stuff and am close to admitting defeat but I really need to get this stuff working for a major edu project I¹m working on. Rev 4.5 OSX 10.6 Any tips or ideas? Terry... -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Https, sslVerification, certificates - huh?
I don't think that's the problem. I know at least one of the sites has a session cookie but that doesn't seem to be involved in the initial authentication. One of the sites definitely doesn't use any cookies and I have the same problems even if I only try to connect to this site. Terry... On 25/10/10 7:42 PM, Jim Sims s...@ezpzapps.com wrote: Maybe there is a cookie involved somewhere? sims --- On Oct 25, 2010, at 10:39 AM, Terry Judd wrote: Attention web gurus, I¹m probably going about it all wrong but I¹m still struggling to retrieve data from a series of secure (https) websites. Each of these sites requires a username and password and I can post these along with the url and am able to retrieve the expected result but ONLY if I set libURLSetSSLVerifaction to false. If I don¹t do this I get nothing back from the url a blank result. While setting libURLSetSSLVerifaction to false gets things moving I suppose? that doing so means the transaction isn¹t really secure?? I¹ve tried setting the sslCertificates (by first loading the sites in Firefox and exporting the certificates) but that doesn¹t seem to work. I¹m moving well past my comfort zone with this stuff and am close to admitting defeat but I really need to get this stuff working for a major edu project I¹m working on. Rev 4.5 OSX 10.6 Any tips or ideas? Terry... -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution sims ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Https, sslVerification, certificates - huh?
Maybe there is a cookie involved somewhere? sims --- On Oct 25, 2010, at 10:39 AM, Terry Judd wrote: Attention web gurus, I’m probably going about it all wrong but I’m still struggling to retrieve data from a series of secure (https) websites. Each of these sites requires a username and password and I can post these along with the url and am able to retrieve the expected result but ONLY if I set libURLSetSSLVerifaction to false. If I don’t do this I get nothing back from the url – a blank result. While setting libURLSetSSLVerifaction to false gets things moving I suppose? that doing so means the transaction isn’t really secure?? I’ve tried setting the sslCertificates (by first loading the sites in Firefox and exporting the certificates) but that doesn’t seem to work. I’m moving well past my comfort zone with this stuff and am close to admitting defeat – but I really need to get this stuff working for a major edu project I’m working on. Rev 4.5 – OSX 10.6 Any tips or ideas? Terry... -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution sims ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Https, sslVerification, certificates - huh?
Have you tried a web monitoring tool? So you can watch the traffic back and forth? I use Charles on OS X. sims On Oct 25, 2010, at 10:47 AM, Terry Judd wrote: I don't think that's the problem. I know at least one of the sites has a session cookie but that doesn't seem to be involved in the initial authentication. One of the sites definitely doesn't use any cookies and I have the same problems even if I only try to connect to this site. Terry... On 25/10/10 7:42 PM, Jim Sims s...@ezpzapps.com wrote: Maybe there is a cookie involved somewhere? sims --- On Oct 25, 2010, at 10:39 AM, Terry Judd wrote: Attention web gurus, I’m probably going about it all wrong but I’m still struggling to retrieve data from a series of secure (https) websites. Each of these sites requires a username and password and I can post these along with the url and am able to retrieve the expected result but ONLY if I set libURLSetSSLVerifaction to false. If I don’t do this I get nothing back from the url – a blank result. While setting libURLSetSSLVerifaction to false gets things moving I suppose? that doing so means the transaction isn’t really secure?? I’ve tried setting the sslCertificates (by first loading the sites in Firefox and exporting the certificates) but that doesn’t seem to work. I’m moving well past my comfort zone with this stuff and am close to admitting defeat – but I really need to get this stuff working for a major edu project I’m working on. Rev 4.5 – OSX 10.6 Any tips or ideas? Terry... -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution sims ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution -- Dr Terry Judd | Senior Lecturer in Medical Education Medical Education Unit Melbourne Medical School The University of Melbourne ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution sims ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Https, sslVerification, certificates - huh?
Terry, There are two different things happening here. One is SSL encryption which protects the communication between your machine and the remote machine, the other is user authentication that protects the other machine from unauthorized access. For LiveCode to trust/accept an SSL certificate as verified, it must be issued by some certificate authority (CA) that is known. Most operating systems come with a list of known CA or something similar, sorry for my lack of proper terminology but I can't recall the name of that file. If you try establish a connection to a secure server and the certificate provided by that server is not from a known CA due to one of the possible facts: * that the CA file is outdated or not found * the remote guys used some CA that is not common and not on most CA files * the remote guys are using a self-signed certificate meaning they are acting like their own authority. This will trigger an error on the SSL library, not an untrusted connection or encryption error but a CA verification error. The connection still works and is secure but the certificate can't be verified. Basically it is an error of the type we don't know who issued this damn thing so we're screaming. You're still protected in terms of a technical standpoint. Checking out the error spilled by libURL might help you understand what is actually happening such as is it self-signed, is it expired... but the SSL connection will still hold. When you use set libURLSetVerification to False you're just bypassing this verification step and jumping to the actual business of hey machine, just encrypt this damn connection will you!. The authentication side happens on another layer. After the secure connection is stablished and that is TCP/IP juggling bytes like those street magicians, you will face the HTTP Authentication layer which is like that really big bouncer at the front door of that club you want to enter. If you passed the magician with the really entangled bytes, then, you need to present your credentials to the bouncer or you will not be allowed in. Different things on the same street but you need to pass from one to the other to arrive at your desired destination. Hope this helps andre Question the Certificate Authority!!! garzia ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution
Re: Https, sslVerification, certificates - huh?
Thanks Andre - that gives me some confidence that proceeding without the certificates is OK (i.e. the data is still encrypted) because really all I'm concerned about is that the username and password data I send to each of the sites isn't visible to snoopers. Having said that I'm still confused about the whole certificates thing. LiveCode 4.5 is supposed to automatically find the root certificates you have installed on your system and start using them but this doesn't appear to happen? even though the example in the release note (fetching https://google.com) seems to work. I guess the ideal situation would be for LC to behave more like Firefox, which seems to (without fail and quite transparently) detect when a certificate is required/on offer and gives you the option of putting it into use. Best regards, Terry... On 26/10/2010, at 12:12 AM, Andre Garzia an...@andregarzia.com wrote: Terry, There are two different things happening here. One is SSL encryption which protects the communication between your machine and the remote machine, the other is user authentication that protects the other machine from unauthorized access. For LiveCode to trust/accept an SSL certificate as verified, it must be issued by some certificate authority (CA) that is known. Most operating systems come with a list of known CA or something similar, sorry for my lack of proper terminology but I can't recall the name of that file. If you try establish a connection to a secure server and the certificate provided by that server is not from a known CA due to one of the possible facts: * that the CA file is outdated or not found * the remote guys used some CA that is not common and not on most CA files * the remote guys are using a self-signed certificate meaning they are acting like their own authority. This will trigger an error on the SSL library, not an untrusted connection or encryption error but a CA verification error. The connection still works and is secure but the certificate can't be verified. Basically it is an error of the type we don't know who issued this damn thing so we're screaming. You're still protected in terms of a technical standpoint. Checking out the error spilled by libURL might help you understand what is actually happening such as is it self-signed, is it expired... but the SSL connection will still hold. When you use set libURLSetVerification to False you're just bypassing this verification step and jumping to the actual business of hey machine, just encrypt this damn connection will you!. The authentication side happens on another layer. After the secure connection is stablished and that is TCP/IP juggling bytes like those street magicians, you will face the HTTP Authentication layer which is like that really big bouncer at the front door of that club you want to enter. If you passed the magician with the really entangled bytes, then, you need to present your credentials to the bouncer or you will not be allowed in. Different things on the same street but you need to pass from one to the other to arrive at your desired destination. Hope this helps andre Question the Certificate Authority!!! garzia ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution ___ use-revolution mailing list use-revolution@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-revolution