override HTTPS certificate failure

Trevor DeVore lists at mangomultimedia.com
Tue Oct 25 20:24:54 EDT 2016 

On Tue, Oct 25, 2016 at 2:36 PM, Monte Goulding <monte at appisle.net> wrote:

>
> > On 26 Oct. 2016, at 3:25 am, Trevor DeVore <lists at mangomultimedia.com>
> wrote:
> >
> > https://github.com/trevordevore/livecode/commit/
> 6a5bc42abebca23e6b8aa611c8f0966b221441c6 <https://github.com/
> trevordevore/livecode/commit/6a5bc42abebca23e6b8aa611c8f0966b221441c6>
> >
>
> One thing I might as well say now as I’ll say it in review anyway is it
> would be better to set individual hosts rather than the entire list in one
> hit to reduce the risk of different user code clobbering each other.


The intended use of libURLGetServersThatBypassCertificateVerification and
libURLSetServersThatBypassCertificateVerification is for getting servers to
store with your app prefs and for restoring the saved settings when your
app starts up. I still need to add a handler that adds to the list.


> It will also be simpler to use:
>
> - get url
> - verification failure
> - ask user if they want to trust the host anyway
> - turn off verification for that host
>

In my original implementation in my custom version of libURL I set up a
repeat loop around the code that fetches data from the server. My libURL
 library allows you to define a callback that would be called if an SSL
cert error occurred. I would display a dialog that looks similar to the one
you see in Safari and let the user decide. The logic looks like this:

repeat
   get url
   no errors? exit repeat
   did an ssl error occur?
      is a callback defined?
         send the callback
            did user say bypass? add to list of servers that ignore
verification and try again in next repeat loop
            did user say cancel? exit repeat
end repeat

It got the job done for what I needed. I am a little hesitant to add it in
to libURL as I’m not entirely sure of the implications of the repeat loop.
I was going to start with adding the ability to get/set the servers and add
a server to the list. That way a developer could check the result
themselves and prompt the user.

Ideally it would all happen from within libURL though. I’m not sure I have
the time to think through all of the implications and do the testing
necessary to submit the change to libURL.

Thoughts?

-- 
Trevor DeVore
ScreenSteps
www.screensteps.com    -    www.clarify-it.com

More information about the use-livecode mailing list