- From: Hans-Juergen Rennau <hrennau@yahoo.de>
- Date: Wed, 25 Feb 2015 22:00:48 +0000 (UTC)
- To: Adam Retter <adam@exist-db.org>
- Cc: EXPath <public-expath@w3.org>, "christian.gruen@gmail.com" <christian.gruen@gmail.com>
- Message-ID: <13743277.68945.1424901648145.JavaMail.yahoo@mail.yahoo.com>
"... ignore-certificates is just one of several options ..." - yes, I suppose you are right. I myself would not very much care about the form actually chosen, as long as control were somehow enabled. Hans-Juergen Adam Retter <adam@exist-db.org> schrieb am 10:29 Mittwoch, 25.Februar 2015: I think you could go either way ;-) I was really just suggesting that it needs to be given consideration. If you want control over certificates in the spec, then I think ignore-certificates is just one of several options you would need to consider adding. On 25 February 2015 at 09:27, Hans-Juergen Rennau <hrennau@yahoo.de> wrote: > I thought control over whether certificates are considered is important for > securiy reasons, but I may be wrong. So you think it would be acceptable to > implement the spec in a way that simply ignores the certificates, à la > JMeter? > > > Adam Retter <adam@exist-db.org> schrieb am 10:19 Mittwoch, 25.Februar 2015: > > > Hmmm... This rather seems like an implementation issue rather than a > spec issue to me. From what I remember it is possible to fix this in > the Java reference implementation without needing to change the spec. > What would be the benefit of adding such an option to the spec (and > that is assuming that you could control this in all implementation > libraries at all)? > > On 24 February 2015 at 21:28, Hans-Juergen Rennau <hrennau@yahoo.de> wrote: >> Hello, >> >> the HTTP Client Module ( http://expath.org/spec/http-client ) seems to me >> a >> very important initiative, as it broadens the scope of what can be >> achieved >> with self-contained XQuery programs significantly. Think of all the >> environments in which web services play a dominant role - there we can >> offer >> XQuery-based, lightweight tools performing various useful tasks, taking >> advantage of the incomparable ease of constructing, navigating and >> transforming XML. >> >> Recently I came across what appears to me a serious limitation of the >> module, which might be removed in a very simple way: presently, https >> connections to services with self-signed certificates are not possible, >> and >> we bump into messages like this: >> >> [experr:HC0001] java.security.cert.CertificateException: No subject >> alternative names matching IP address 12.34.56.789 found >> >> But self-signed certificates are very common! JMeter, the Apache framework >> for service testing, is not shy ( >> http://jmeter.apache.org/usermanual/get-started.html ): >> >> " JMeter HTTP samplers are configured to accept all certificates, whether >> trusted or not, regardless of validity periods, etc. This is to allow the >> maximum flexibility in testing servers." >> >> My proposal: can we add to the http:send-request function a feature >> enabling >> acceptance of self-signed certificates? It might be a "ignore-certificate" >> function parameter, or a further attribute on the http:request element. >> >> Kind regards, >> Hans-Juergen > >> >> >> > > > > -- > Adam Retter > > eXist Developer > { United Kingdom } > adam@exist-db.org > irc://irc.freenode.net/existdb > > > -- Adam Retter eXist Developer { United Kingdom } adam@exist-db.org irc://irc.freenode.net/existdb
Received on Wednesday, 25 February 2015 22:01:18 UTC