accessing https URLS with basic authentification

Ben Rubinstein benr at cogapp.com
Mon May 11 12:05:28 EDT 2009


On 8/5/09 12:42, Paul Williams wrote:
> Don't forget only Rev Enterprise supports https.

On 8/5/09 12:24, Bernard Devlin wrote:
 > Basic Auth should still work with https.
 >
 > I think the problem might be to do with the verification of the SSL
 > certificate.  Try running this before you make your https URL call:
 >
 > libUrlSetSSLVerification false

Thanks both for your replies.  I am using Enterprise, and can retrieve https 
from a site not requiring basic auth fine.

I've tried Bernard's suggestion of libUrlSetSSLVerification (btw I notice that 
there's no documentation for this command - Bernard can I ask where you found 
out about it?) - however the setting of this seems to make no difference.

As noted, curl is fine (as is Firefox).

Normally in this sort of situation, I can watch the network traffic to pin 
down the difference between the exchange that works and the (Rev) exchange 
that doesn't - but in this case it's a load of encrypted stuff!  All I can see 
is the pattern of blocks, as below - but as I don't know anything about the 
https protocol, I don't understand its significance, if any.  Does it indicate 
that Rev has missed out a step?  Or that Rev has in somehow encoded the 
authorisation in a way that the server doesn't like, hence the final block in 
the conversation with Rev is an 'unauthorised, please go away', while the 
conversation with curl starts to deliver the actual data?

             Rev                         curl
             ---                         ----
             client:  0 bytes            client:  0 bytes
             server:  0 bytes            server:  0 bytes
             client:  0 bytes            client:  0 bytes
             client:  118 bytes          client:  102 bytes

             server:  0 bytes            server:  0 bytes
             server:  1368 bytes         server:  1368 bytes
             server:  1368 bytes         server:  1368 bytes

             client:  0 bytes            client:  0 bytes
             server:  1368 bytes         server:  1368 bytes
             client:  0 bytes            server:  935 bytes
             server:  935 bytes          client:  0 bytes
             client:  0 bytes

             client:  198 bytes          client:  198 bytes
             server:  59 bytes           server:  59 bytes
             client:  0 bytes            client:  0 bytes

             client:  218 bytes          client:  277 bytes
             server:  0 bytes            client:  277 bytes
             server:  554 bytes          server:  0 bytes
             client:  0 bytes            server:  1368 bytes
                                         server:  1368 bytes
                                         server:  10 bytes
                                         client:  0 bytes
                                         client:  0 bytes
                                         client:  37 bytes
                                         client:  0 bytes
                                         server:  0 bytes
                                         server:  37 bytes
                                         client:  0 bytes
                                         server:  0 bytes
                                         client:  0 bytes
                                         server:  0 bytes
                                         client:  0 bytes


I also no longer seem to be able to step into libURL code in the debugger - is 
this something we lost in the 3.0 rollout?

Any further suggestions gratefully received...

Ben

>> On Fri, May 8, 2009 at 12:43 AM, Ben Rubinstein <benr_mc at cogapp.com>
>> wrote:
>>> I can load an "https" URL fine.
>>>
>>> I can load an "http" URL protected using 'basic' authentification,
>> using
>>> either the "http://user:password@www.somewhere.com/" format, or by
>> using the
>>> HTTPHeaders property to explicitly add an "Authorization: Basic
>> xxx" header.
>>> But I can't load an "https" URL that's protected using basic
>>> authentification, using either of the methods described above.
>>>
>>> Is this a known problem?  Can anyone else either reproduce this
>> problem, or
>>> alternatively confirm that they _can_ load such a URL?
>>>
>>> (NB1 this is on Mac OS X, Rev 3.0 and 3.5.)
>>>
>>> (NB2 I can retrieve the URL fine using "curl" in the terminal -
>> and in fact
>>> for now I'm working around the problem by using shell() to invoke
>> curl.  But
>>> I really want to handle URLs of this form in the same way I'm
>> handling other
>>> http URLs in my app, which give me more control.)
>>>
>>> Any insights gratefully received,
>>>
>>> TIA
>>>
>>> Ben





More information about the use-livecode mailing list