HTTPS and Root.pem...

Andre Garzia soapdog at mac.com
Sun Jun 5 21:30:04 EDT 2005


On Jun 5, 2005, at 10:19 PM, Dar Scott wrote:

> I wonder if what you are seeing is not your error, but the server's  
> error.  The server might be expecting a certificate from the client.   
> That would be reasonable in a situation like yours where you are using  
> post.  However, I don't think Revolution can supply a certificate to a  
> server, yet.  I don't know how to specify it if the ability is there.   
> That is, maybe the server wants to know you are who you say you are,  
> too.
>
> That is, it looks like a problem in the local lookup, but "local" to  
> whom?
>
> Maybe you can sneak up on this.  Try getting a simple https page from  
> a popular server.  Then try getting a page from the server in  
> question.  If that fails, try it with a web browser; maybe the sever  
> has a bad cert.  Try a post with some other tool.  Maybe then you have  
> learned what you need to do the post.
>
> I hope you get this solved before RevCon.  I can then pass all the  
> hard SSL questions on to you!
>
> Dar

Dar,

I begun to wonder the same thing also, but I discovered that it's not a  
server error message it is actually a openssl error message, trying to  
connect to the secure server using openssl command line tool yelded the  
following response (quoted from a much bigger output):

---
No client certificate CA names sent
---
SSL handshake has read 2202 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : DHE-RSA-AES256-SHA
     Session-ID:  
DCB5B184CA7F0BC6D5D005543789AC455B27C951ED28322D5B5126292F1964B8
     Session-ID-ctx:
     Master-Key:  
4CB07308E672F65381DDABF8F4386DED97CC1482C3E8A25BE362157D01B1806395F07107 
697074B96D87316E937F3F59
     Key-Arg   : None
     Start Time: 1118014043
     Timeout   : 300 (sec)
     Verify return code: 20 (unable to get local issuer certificate)
---


the server connects and I am able to use HTTP commands to it, it  
appears that while the openssl commandline tool don't think that this  
error is a show stopper, Rev in the other hand will refuse to go  
forward. I checked bugzilla and saw that there was a thread that  
apparently asked for this behaviour saying that if the cert cannot be  
verified, rev should stop. I'd like to go like the open secure socket  
command where I can simply choose to ignore verification.

it will be a long night trying to solve this...

thanks
andre






>
-- 
Andre Alves Garzia ð 2004
Soap Dog Studios - BRAZIL
http://studio.soapdog.org



More information about the use-livecode mailing list