Livecode and "Extended Validation" SSL certificates
bruceap at comcast.net
Sat Jul 11 03:26:27 CEST 2015
I market a desktop app for Mac and Windows that uses https queries to obtain information from the European Patent Office’s “Open Patent Services” system. Those queries are generally to obtain information about European patents. The EPO likes to have regular users of the OPS system register with them, and doing so gets you 2.5 Gb/week of free bandwidth. My app uses the registration credentials that the EPO provides a user to obtain an access token that it then sends with each query. The access token is good for about 20 minutes, after which the app requests a new one. Follow me so far?
Recently, the app's requests for the access token kept resulting in an error message. I tried a lot of differnt work-arounds. Nothing helped.
I finally posted my problem to an EPO forum for OPS users, and included the error message which at the time made no sense to me. From the response I received from OPS support, they had recently changed from conventional SSL certificates to new “Extended Validation” SSL certificates. Could there be something about the Livecode implementation of https that is not compatible with these EV certificates? Does that make sense? Here is the error message:
error -Error with certificate at depth: 1 issuer = /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign subject = /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Extended Validation CA - SHA256 - G2 err 7:certificate signature failure
Once I knew this to be related to SSL, I added "libURLSetSSLVerification false” to the scripts. No more errors and the app receives the access token without any problem. However, I felt it might be useful to put this issue in front of this knowledgeable group as both a warning and as a seed for discusion. Why did Livecode work fine with the old SSL certificates, but does not with the EV certificates?
More information about the use-livecode