W3C home > Mailing lists > Public > public-expath@w3.org > February 2015

Re: HTTP Client Module - certificates ...

From: Adam Retter <adam@exist-db.org>
Date: Wed, 25 Feb 2015 22:41:25 +0000
Message-ID: <CAJKLP9Y_iMW3fdgR+nN6piwFt8f+fnwBc2cf1Gybo=_Q4+BwBg@mail.gmail.com>
To: Hans-Juergen Rennau <hrennau@yahoo.de>
Cc: Christian Grün <christian.gruen@gmail.com>, EXPath <public-expath@w3.org>
Sounds good. But well if we are going to do it in the spec we should
consider each certificate option we should need
On 25 Feb 2015 22:00, "Hans-Juergen Rennau" <hrennau@yahoo.de> wrote:

> "... ignore-certificates is just one of several options ..." - yes, I
> suppose you are right. I myself would not very much care about the form
> actually chosen, as long as control were somehow enabled.
>
> Hans-Juergen
>
>
>   Adam Retter <adam@exist-db.org> schrieb am 10:29 Mittwoch, 25.Februar
> 2015:
>
>
> I think you could go either way ;-) I was really just suggesting that
> it needs to be given consideration. If you want control over
> certificates in the spec, then I think ignore-certificates is just one
> of several options you would need to consider adding.
>
> On 25 February 2015 at 09:27, Hans-Juergen Rennau <hrennau@yahoo.de>
> wrote:
> > I thought control over whether certificates are considered is important
> for
> > securiy reasons, but I may be wrong. So you think it would be acceptable
> to
> > implement the spec in a way that simply ignores the certificates, à la
> > JMeter?
> >
> >
> > Adam Retter <adam@exist-db.org> schrieb am 10:19 Mittwoch, 25.Februar
> 2015:
> >
> >
> > Hmmm... This rather seems like an implementation issue rather than a
> > spec issue to me. From what I remember it is possible to fix this in
> > the Java reference implementation without needing to change the spec.
> > What would be the benefit of adding such an option to the spec (and
> > that is assuming that you could control this in all implementation
> > libraries at all)?
> >
> > On 24 February 2015 at 21:28, Hans-Juergen Rennau <hrennau@yahoo.de>
> wrote:
> >> Hello,
> >>
> >> the HTTP Client Module ( http://expath.org/spec/http-client ) seems to
> me
> >> a
> >> very important initiative, as it broadens the scope of what can be
> >> achieved
> >> with self-contained XQuery programs significantly. Think of all the
> >> environments in which web services play a dominant role - there we can
> >> offer
> >> XQuery-based, lightweight tools performing various useful tasks, taking
> >> advantage of the incomparable ease of constructing, navigating and
> >> transforming XML.
> >>
> >> Recently I came across what appears to me a serious limitation of the
> >> module, which might be removed in a very simple way: presently, https
> >> connections to services with self-signed certificates are not possible,
> >> and
> >> we bump into messages like this:
> >>
> >> [experr:HC0001] java.security.cert.CertificateException: No subject
> >> alternative names matching IP address 12.34.56.789 found
> >>
> >> But self-signed certificates are very common! JMeter, the Apache
> framework
> >> for service testing, is not shy (
> >> http://jmeter.apache.org/usermanual/get-started.html ):
> >>
> >> " JMeter HTTP samplers are configured to accept all certificates,
> whether
> >> trusted or not, regardless of validity periods, etc. This is to allow
> the
> >> maximum flexibility in testing servers."
> >>
> >> My proposal: can we add to the http:send-request function a feature
> >> enabling
> >> acceptance of self-signed certificates? It might be a
> "ignore-certificate"
> >> function parameter, or a further attribute on the http:request element.
> >>
> >> Kind regards,
> >> Hans-Juergen
> >
> >>
> >>
> >>
> >
> >
> >
> > --
> > Adam Retter
> >
> > eXist Developer
> > { United Kingdom }
> > adam@exist-db.org
> > irc://irc.freenode.net/existdb
>
> >
> >
> >
>
>
>
> --
> Adam Retter
>
> eXist Developer
> { United Kingdom }
> adam@exist-db.org
> irc://irc.freenode.net/existdb
>
>
>
Received on Wednesday, 25 February 2015 22:41:54 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:47:39 UTC