- From: Adam Retter <adam@exist-db.org>
- Date: Wed, 25 Feb 2015 09:29:31 +0000
- To: Hans-Juergen Rennau <hrennau@yahoo.de>
- Cc: EXPath <public-expath@w3.org>, "christian.gruen@gmail.com" <christian.gruen@gmail.com>
I think you could go either way ;-) I was really just suggesting that
it needs to be given consideration. If you want control over
certificates in the spec, then I think ignore-certificates is just one
of several options you would need to consider adding.
On 25 February 2015 at 09:27, Hans-Juergen Rennau <hrennau@yahoo.de> wrote:
> I thought control over whether certificates are considered is important for
> securiy reasons, but I may be wrong. So you think it would be acceptable to
> implement the spec in a way that simply ignores the certificates, à la
> JMeter?
>
>
> Adam Retter <adam@exist-db.org> schrieb am 10:19 Mittwoch, 25.Februar 2015:
>
>
> Hmmm... This rather seems like an implementation issue rather than a
> spec issue to me. From what I remember it is possible to fix this in
> the Java reference implementation without needing to change the spec.
> What would be the benefit of adding such an option to the spec (and
> that is assuming that you could control this in all implementation
> libraries at all)?
>
> On 24 February 2015 at 21:28, Hans-Juergen Rennau <hrennau@yahoo.de> wrote:
>> Hello,
>>
>> the HTTP Client Module ( http://expath.org/spec/http-client ) seems to me
>> a
>> very important initiative, as it broadens the scope of what can be
>> achieved
>> with self-contained XQuery programs significantly. Think of all the
>> environments in which web services play a dominant role - there we can
>> offer
>> XQuery-based, lightweight tools performing various useful tasks, taking
>> advantage of the incomparable ease of constructing, navigating and
>> transforming XML.
>>
>> Recently I came across what appears to me a serious limitation of the
>> module, which might be removed in a very simple way: presently, https
>> connections to services with self-signed certificates are not possible,
>> and
>> we bump into messages like this:
>>
>> [experr:HC0001] java.security.cert.CertificateException: No subject
>> alternative names matching IP address 12.34.56.789 found
>>
>> But self-signed certificates are very common! JMeter, the Apache framework
>> for service testing, is not shy (
>> http://jmeter.apache.org/usermanual/get-started.html ):
>>
>> " JMeter HTTP samplers are configured to accept all certificates, whether
>> trusted or not, regardless of validity periods, etc. This is to allow the
>> maximum flexibility in testing servers."
>>
>> My proposal: can we add to the http:send-request function a feature
>> enabling
>> acceptance of self-signed certificates? It might be a "ignore-certificate"
>> function parameter, or a further attribute on the http:request element.
>>
>> Kind regards,
>> Hans-Juergen
>
>>
>>
>>
>
>
>
> --
> Adam Retter
>
> eXist Developer
> { United Kingdom }
> adam@exist-db.org
> irc://irc.freenode.net/existdb
>
>
>
--
Adam Retter
eXist Developer
{ United Kingdom }
adam@exist-db.org
irc://irc.freenode.net/existdb
Received on Wednesday, 25 February 2015 09:30:00 UTC