Help on SSL
Locked
 
|
Using VW 7.3.1, I'm
trying to connect to an internal SSL web page using this
code:
| httpClient request
response |
httpClient := HttpsClient new. request := HttpRequest get: 'https://192.168.104.237:91'. response := httpClient executeRequest: request. response statusLine But I get a
'Subject failed validation' error. Looking into
Security.SSLSession>>validateCertificateChain:for: I see this:
subjectValidator value: aCertificateChain first subject asDictionary,
but when I debug through this, it compares the IP string against a
Asn1Struct_AttributeTypeAndValue which of course fails ('192.168.104.237' =
Asn1Struct_AttributeTypeAndValue ). This happens in
Net.HttpsStreamHandler>>validationBlock. I suspect I'm missing a key
point here since the code above works fine for non-ssl and changing to
HttpClient.
What am I doing
wrong?
Thanks in advance
for any assistance.
Bob Tucker IntercontinentalExchange
| ICE This message may contain confidential information and is intended for specific recipients unless explicitly noted otherwise. If you have reason to believe you are not an intended recipient of this message, please delete it and notify the sender. This message may not represent the opinion of IntercontinentalExchange, Inc. (ICE), its subsidiaries or affiliates, and does not constitute a contract or guarantee. Unencrypted electronic mail is not secure and the recipient of this message is expected to provide safeguards from viruses and pursue alternate means of communication where privacy or a binding message is desired. |
RE: Help on SSL
|
|
Bob,
Not sure how much this has changed since 7.3.1, but I have the following override in 7.5 to support wildcard certs, so this might be helpful to you as well since you can override the validation block any which way you like even if there is a bug in the underlying codebase, HttpClient>>executeRequestDo: aBlock | streamx | self protocol = 'https' ifTrue: [self validationBlock: [:dnd | dnd CN match: self hostName]]. streamx := self privateExecuteRequest. aBlock ifNotNil: [aBlock value: streamx] Cheers, -Boris -- +1.604.689.0322 DeepCove Labs Ltd. 4th floor 595 Howe Street Vancouver, Canada V6C 2T5 http://tinyurl.com/r7uw4 [hidden email] CONFIDENTIALITY NOTICE This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments. Thank you. > -----Original Message----- > From: Bob Tucker [mailto:[hidden email]] > Sent: Wednesday, August 22, 2007 9:23 AM > To: VW NC > Subject: Help on SSL > > Using VW 7.3.1, I'm trying to connect to an internal SSL web page using > this code: > > | httpClient request response | > httpClient := HttpsClient new. > request := HttpRequest get: '<a href="https://192.168.104.237:91'">https://192.168.104.237:91'. > response := httpClient executeRequest: request. > response statusLine > > But I get a 'Subject failed validation' error. Looking into > Security.SSLSession>>validateCertificateChain:for: I see this: > subjectValidator value: aCertificateChain first subject asDictionary, > when I debug through this, it compares the IP string against a > Asn1Struct_AttributeTypeAndValue which of course fails ('192.168.104.237' > = Asn1Struct_AttributeTypeAndValue ). This happens in > Net.HttpsStreamHandler>>validationBlock. I suspect I'm missing a key > point here since the code above works fine for non-ssl and changing to > HttpClient. > > What am I doing wrong? > > Thanks in advance for any assistance. > > > Bob Tucker > > IntercontinentalExchange | ICE > 2100 RiverEdge Pkwy | 5th Floor | Atlanta, GA 30328 > Tel: 770.738.2153 | Fax: 770.951.1307 | Cell: 678.778.5664 > [hidden email] <mailto:[hidden email]> > > 24-hour ice helpdesk 770.738.2101 > www.theice.com <http://www.theice.com/> > > > > ________________________________ > > > This message may contain confidential information and is intended for > specific recipients unless explicitly noted otherwise. If you have > to believe you are not an intended recipient of this message, please > delete it and notify the sender. This message may not represent the > opinion of IntercontinentalExchange, Inc. (ICE), its subsidiaries or > affiliates, and does not constitute a contract or guarantee. Unencrypted > electronic mail is not secure and the recipient of this message is > expected to provide safeguards from viruses and pursue alternate means of > communication where privacy or a binding message is desired. |
|
|
It must be different enough since dnd at: 'CN' is a dictionary in 7.3.1 and must be a string in 7.5 in order to understand match:. I also can't find the host name anywhere in the 'CN' dictionary. So I can't figure out what the original intent was. Does anyone know if this original code is incorrect? -----Original Message-----
Bob, Not sure how much this has changed since 7.3.1, but I have the following override in 7.5 to support wildcard certs, so this might be helpful to you as well since you can override the validation block any which way you like even if there is a bug in the underlying codebase, HttpClient>>executeRequestDo: aBlock
Cheers, -Boris --
CONFIDENTIALITY NOTICE This email is intended only for the persons named in the message header. Unless otherwise indicated, it contains information that is private and confidential. If you have received it in error, please notify the sender and delete the entire message including any attachments. Thank you. > -----Original Message-----
This message may contain confidential information and is intended for specific recipients unless explicitly noted otherwise. If you have reason to believe you are not an intended recipient of this message, please delete it and notify the sender. This message may not represent the opinion of IntercontinentalExchange, Inc. (ICE), its subsidiaries or affiliates, and does not constitute a contract or guarantee. Unencrypted electronic mail is not secure and the recipient of this message is expected to provide safeguards from viruses and pursue alternate means of communication where privacy or a binding message is desired. |
|
|
In reply to this post by Bob Tucker
Bob Tucker wrote:
> > Using VW 7.3.1, I'm trying to connect to an internal SSL web page using > this code: > > | httpClient request response | > httpClient := HttpsClient new. > request := HttpRequest get: '<a href="https://192.168.104.237:91'">https://192.168.104.237:91'. > response := httpClient executeRequest: request. > response statusLine > > But I get a 'Subject failed validation' error. Looking into > /Security.SSLSession>>validateCertificateChain:for/: I see this: > /subjectValidator value: aCertificateChain first subject asDictionary/, > but when I debug through this, it compares the IP string against a > Asn1Struct_AttributeTypeAndValue which of course fails > ('192.168.104.237' = Asn1Struct_AttributeTypeAndValue ). This happens > in Net.HttpsStreamHandler>>validationBlock. I suspect I'm missing a key > point here since the code above works fine for non-ssl and changing to > HttpClient. The task of the validationBlock is to look at the certificate that the HTTPS server presents and making sure that it matches the server that we're trying to connect. Sort of like checking one's ID to make sure they are who they say they are. The block gets the server "name" from the certificate as an argument to work with. The default block that you get out of the box is fairly simple, it compares the hostname from the URL you're trying to reach with the 'CN' attribute in the name from the certificate. That's actually the same sort of check that web browsers do. I suspect if you type the same URL into a web browser you get similar kind of warning, because in general people don't put IP addresses into certificate names, they use DNS hostnames instead. So you'll probably need to write your own validation block and set it on the client before executing request (HttpClient>>validationBlock:). Note that the "name" is a fairly complex structure, just play with it a bit and figure out what would be a good check of the server name. Alternatively you can just resume the exception and the handshake will proceed. However in that case you're skipping a very important security check. HTH, Martin |
| Free forum by Nabble | Edit this page |