override HTTPS certificate failure
Monte Goulding
monte at appisle.net
Tue Oct 25 15:36:41 EDT 2016
> On 26 Oct. 2016, at 3:25 am, Trevor DeVore <lists at mangomultimedia.com> wrote:
>
> I’m working on a libURL addition that will allow you to specify hosts that
> should bypass SSL verification without turning it off completely. That way
> you let the user know a certificate wasn’t verified but allow them to
> override it. Here are the changes I’ve made on one of my branches:
>
> https://github.com/trevordevore/livecode/commit/6a5bc42abebca23e6b8aa611c8f0966b221441c6 <https://github.com/trevordevore/livecode/commit/6a5bc42abebca23e6b8aa611c8f0966b221441c6>
>
> I still have to put together a test and file an enhancement request for it
> before I can submit it though.
That is excellent! I really wish we could kill the global libURLSetSSLVerification with fire!
One thing I might as well say now as I’ll say it in review anyway is it would be better to set individual hosts rather than the entire list in one hit to reduce the risk of different user code clobbering each other. It will also be simpler to use:
- get url
- verification failure
- ask user if they want to trust the host anyway
- turn off verification for that host
Cheers
Monte
More information about the use-livecode
mailing list