Re: HTTP Client Module - certificates ... from Hans-Juergen Rennau on 2015-02-25 (public-expath@w3.org from February 2015)

From: Hans-Juergen Rennau <hrennau@yahoo.de>
Date: Wed, 25 Feb 2015 09:27:12 +0000 (UTC)
To: Adam Retter <adam@exist-db.org>
Cc: EXPath <public-expath@w3.org>, "christian.gruen@gmail.com" <christian.gruen@gmail.com>
Message-ID: <1725106409.11271676.1424856432276.JavaMail.yahoo@mail.yahoo.com>

I thought control over whether certificates are considered is important for securiy reasons, but I may be wrong. So you think it would be acceptable to implement the spec in a way that simply ignores the certificates, à la JMeter?
 

     Adam Retter <adam@exist-db.org> schrieb am 10:19 Mittwoch, 25.Februar 2015:
   

 Hmmm... This rather seems like an implementation issue rather than a
spec issue to me. From what I remember it is possible to fix this in
the Java reference implementation without needing to change the spec.
What would be the benefit of adding such an option to the spec (and
that is assuming that you could control this in all implementation
libraries at all)?

On 24 February 2015 at 21:28, Hans-Juergen Rennau <hrennau@yahoo.de> wrote:
> Hello,
>
> the HTTP Client Module ( http://expath.org/spec/http-client ) seems to me a
> very important initiative, as it broadens the scope of what can be achieved
> with self-contained XQuery programs significantly. Think of all the
> environments in which web services play a dominant role - there we can offer
> XQuery-based, lightweight tools performing various useful tasks, taking
> advantage of the incomparable ease of constructing, navigating and
> transforming XML.
>
> Recently I came across what appears to me a serious limitation of the
> module, which might be removed in a very simple way: presently, https
> connections to services with self-signed certificates are not possible, and
> we bump into messages like this:
>
> [experr:HC0001] java.security.cert.CertificateException: No subject
> alternative names matching IP address 12.34.56.789 found
>
> But self-signed certificates are very common! JMeter, the Apache framework
> for service testing, is not shy (
> http://jmeter.apache.org/usermanual/get-started.html ):
>
> " JMeter HTTP samplers are configured to accept all certificates, whether
> trusted or not, regardless of validity periods, etc. This is to allow the
> maximum flexibility in testing servers."
>
> My proposal: can we add to the http:send-request function a feature enabling
> acceptance of self-signed certificates? It might be a "ignore-certificate"
> function parameter, or a further attribute on the http:request element.
>
> Kind regards,
> Hans-Juergen
>
>
>



-- 
Adam Retter

eXist Developer
{ United Kingdom }
adam@exist-db.org
irc://irc.freenode.net/existdb

Received on Wednesday, 25 February 2015 09:27:48 UTC