HTTPS Invalid Certificates

[GoogleCodeExporter]

The gadget won't accept HTTPS urls if the certificate isn't valid

Original issue reported on code.google.com by scotttm...@gmail.com on 14 Apr 2011 at 2:34

[GoogleCodeExporter]

It would be great if you could fix this for v 3.1 Beta 3.

I can't use the Gadget until you enable SSL support for "invalid" certificates.
It's not really an invalid one, but it's the default certificate from Subsonic.

I've done this in some of my .NET applications to.. 

[C#]
// register callback method for SSL validation event
ServicePointManager.ServerCertificateValidationCallback += 
RemoteCertificateValidationHandler;

// this event handler will be called when SSL certificate is verified
private static bool RemoteCertificateValidationHandler(object sender, 
X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
    return true; //ignore the checks and go ahead
}

Original comment by paul.wal...@gmail.com on 21 Sep 2011 at 6:49

[GoogleCodeExporter]

or may be this one..

ServicePointManager.ServerCertificateValidationCallback = delegate { return 
true; };

or this one..

ServicePointManager.ServerCertificateValidationCallback = (sender, certificate, 
chain, sslPolicyErrors) => { return true; };

Original comment by paul.wal...@gmail.com on 21 Sep 2011 at 6:53

[GoogleCodeExporter]

Hey Paul,
Yeah I've accomplished this in several of the C# apps I've written as well 
(code similar to your second one is my preferred method) and have spent a lot 
of time trying to work out a solution for the gadget. I get exactly what you 
are saying with it being the default SS cert, but it all comes down to the fact 
that it is an invalid ssl certificate. The xmlhttprequest object doesn't allow 
exceptions (and trust me, I have tried countless scenarios :)) so short of 
getting a valid cert I have yet to find an solution. I will be more than happy 
to try any ideas you might have that I haven't researched already though. IIRC 
there was a post on the forum about a way to self sign a certificate to replace 
the invalid default one that might prove of interest.

Original comment by scotttm...@gmail.com on 22 Sep 2011 at 2:31

[GoogleCodeExporter]

Ok. I tought it would have been handled the same way.

Thank you for your effort on the gadget.

regards

Original comment by paul.wal...@gmail.com on 22 Sep 2011 at 6:00

[GoogleCodeExporter]

I think the subsonic default certificate is a self-signed certificate too and 
it wouldn't change anything if I generate a new self-signed certificate myself?

It will only work if the certificate is signed by a public Certification 
Authority (CA)?

I can create a free public certificate from a public CA for free but have to 
fill out all my personal details.

I think it's better to find a way for a fall-back solution in case the 
certificate isn't valid.

Do you know how Sindre has done this for the Android App? Because first the App 
didn't work over SSL and he has fixed it after an Update.

Original comment by paul.wal...@gmail.com on 22 Sep 2011 at 7:50

[GoogleCodeExporter]

With a 2min search in Google I found this:

http://www.techques.com/question/1-4490723/Javascript-XMLHttpRequest:-Ignore-inv
alid-SSL-Certificate

Could you please try the solution suggested on this page and let me know if it 
would work in your app? Would be great :)

Original comment by paul.wal...@gmail.com on 23 Sep 2011 at 2:37

[GoogleCodeExporter]

bump

Original comment by paul.wal...@gmail.com on 27 Sep 2011 at 5:46

[GoogleCodeExporter]

No need to bump, I get emails when changes are made to these. :)
I appreciate the input and no offense but like I said, I spent a lot of time 
working on this when I first started the gadget so trust me, if you can find it 
with just a quick google, I've already tried it.lol A few months ago I spent a 
lot of time looking at the suggestion you provided the link for and while it 
had some promise, it didn't work well with the gadget. But if I get a chance, I 
will revisit it. When I do I will let you know. Thanks

Original comment by scotttm...@gmail.com on 30 Sep 2011 at 2:27

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

still useless..

Original comment by paul.wal...@gmail.com on 20 Jan 2012 at 3:10

[GoogleCodeExporter]

still useless..

Original comment by paul.wal...@gmail.com on 2 Feb 2012 at 7:57

[GoogleCodeExporter]

The best advice I have for you is to either get a valid certificate or look for 
another free piece of software to work with your invalid certificate.

Original comment by scotttm...@gmail.com on 2 Feb 2012 at 3:05

[GoogleCodeExporter]

If you run your own certificate authority (like me), and you've created a 
certificate for subversion to use, you have to (obviously) trust your own 
root-authority certificate, so the software finds your certificate valid. Next 
to that, you also need to make sure that you fill-in a Certificate Revocation 
List (CRL) entry for your subversion certificate, and that this CRL-url is 
actually reachable!. The reason behind this is that OpenSSL tries to check the 
CRL, and if it couldn't be contacted, the certificate is claimed to be invalid 
(while it fact is is valid, but it's revocation couldn't be checked).
This solved the subgadget problem for me.

Original comment by h...@expaso.nl on 2 Feb 2012 at 4:03

[GoogleCodeExporter]

Hans,
Thanks a lot for that information! I really appreciate it and hopefully it will 
help Paul out.

Original comment by scotttm...@gmail.com on 2 Feb 2012 at 4:17

[GoogleCodeExporter]

Nice if you run your own CA but obviously I cant set this up for all my friends 
and all their computers or mobile devices. It's not a 2 computer scenario at 
home.

The certificate is already set by the developer of Subsonic and if I wanted to 
change the certificate I can directly generate a valid and free one from a 
provider. I can't see the use of setting a new one only because of SubGadget is 
not able to handle this.

Well as soon as we will have an HTML5 player we wont need Gadgets like 
SubGadget anymore.

Original comment by paul.wal...@gmail.com on 27 Feb 2012 at 3:20