Make https links to ECV work

[ocrasborn]

Now that Signbank runs over https, the ECV links to ngt.ecv stopped working. Simply changing the http to https in the EAF link doesn't solve the issue. Does ELAN need to be told to also receive data over https?

[Woseseltops]

Let me know if we temporarily need to change back to HTTP until @vanlummelhuizen is back from holiday!

[ocrasborn]

If he isn't back next week, then yes, please.

[henrinie]

Hi @ocrasborn and @Woseseltops ELAN doesn't work with HTTPS. See this issue for information: https://github.com/vanlummelhuizen/ASL-ELAN/issues/9

[ocrasborn]

Ah thanks @henrinie , I hadn't gotten to that discussion yet!

[vanlummelhuizen]

I have dug into this problem a I am sorry to say I have not found a solution yet. The odd things is that ELAN+https works if I start it from Eclipse (programming environment), but not from the regular installation. Both use Java 7 which should be OK. Note that Java 6 is not for the HTTPS certificate of signbank.science.ru.nl. Check for yourself on https://www.ssllabs.com/ssltest/analyze.html?d=signbank.science.ru.nl

I asked Han Sloetjes about this, but he was also not able to solve it. So, for now please let the ECV be reachable over HTTP.

[Woseseltops]

For now, the ECV is reachable over HTTP (as the only exception).

[vanlummelhuizen]

@henrinie @ocrasborn Some thoughts and things I discovered:

In Linux the problems seem to be caused by the java.ext.dirs argument in the ELAN_x.x.x.lax file. The default ext dir is not used, while if you would include both, there is no problem. Perhaps the InstallAnywhere script should be changed for this, or there might be another solution. I will discuss this with Han Sloetjes of the MPI.

For other platforms, an old version (6 or lower) of java might be the cause. A quick test on a virtual Windows 7 showed that ELAN+Java7 had no problem with signbank.science.ru.nl ECV. Perhaps this can also be tested on a Mac. Volunteers?

[henrinie]

Thanks for keeping me updated. Hopefully you can fix these issues for linux. I suppose that none of our users use linux (I might be wrong though), but I need linux for the development work, and being able to test with ELAN is quite important. Our userbase is mainly windows and mac based.

It would be interesting to hear if someone else has gotten this working on windows aswell, and what is the situation with Mac's too.

[vanlummelhuizen]

@henrinie Since my last comment about this issue, I attempted to solve this on quite a few occasions. Unfortunately I did not succeed. In the end we decided to go for a (not so beautiful, imho) workaround. You can read about it on https://github.com/Signbank/NGT-signbank/wiki/Developer-guide#https-and-java-16-

[henrinie]

@vanlummelhuizen Do you know whether some of the latest versions of ELAN fully support HTTPS now?

[vanlummelhuizen]

@henrinie Well, ELAN support HTTPS, but at least on Mac OSX not the latest versions of HTTPS since ELAN still uses Java 1.6 there. The workaround we still have in place is the downgrading of HTTPS.

Perhaps using a more recent 'cacert' file in your Java installation might help. I am saying this because @ocrasborn did something like that to solve a problem, but I kinda lost track of all permutations of server and client settings that worked or did not work.

A final remark: the main developer of ELAN has been notified of the struggles we had making this work. We probably will continue to do so. Hopefully, soon it will trigger him to upgrade the code for a recent the Java version (he needs to trigger his boss to give him time to do it, I guess).

[ocrasborn]

To add to Micha's comment: the Java 1.6 requirement was a longer-standing issue. One of the more recent MacOS updates (or probably, the Java 1.6 installation available for it) contains an alias to the cacerts file which no longer exists in that location. The solution is to replace the alias for the actual cacerts file from Java 1.6 on an older system (we can email it to you), in /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/ (We weren't able to put the cacerts file in the location that the alias points to, somewhere in /System/ I think.)

[henrinie]

@vanlummelhuizen @ocrasborn Thanks for the info. What a mess! Seems like java 6 does not come with the latest TLS libraries used for HTTPS. Lets hope that ELAN could ship with a newer version of java at some point. For now, we'll just serve the ECV's via HTTP. I don't find any reason to start using less secure HTTPS connections just because of ELAN.