HTTPSSession question

[rbock]

Hi,

I am trying to write program somewhat similar to wget. It is supposed to retrieve documents from the internet in a batch job without user interaction and I am kinda stuck. I tried to start from the example called download in poco-1.3.2-ssl/NetSSL_OpenSSL/samples:

a) When the Poco: :Net: :Context is created, it asks the user for the password for the privateKeyFile. Do I really need a privateKeyFile (wget does not seem to need one)? If so, can I prevent this password dialog from taking place?

b) Similar question about the caLocation. Can I live without it?

c) When the connection to an HTTPS server is established, the user gets asked if he wants to accept the server certificate. Is there a way around this?


The HowTo on NetSSL indicates that there are options, but the privateKeyFile, the caLocation and the user interaction always seem to be present.

The Networking tutorial (FTPClient) indicates that adding HTTPS support to an application rather easy, but the tutorial does not work for https-URLs. It throws an exception:

Null pointer: _pInstance in file "/home/rbock/temp/poco-1.3.2-ssl/Util/include/Poco/Util/Application.h", line 422

Regards,

Roland

[peter]

> Hi,
>
> I am trying to write program somewhat similar to wget. It is supposed to retrieve documents from the internet in a batch job without user interaction and I am kinda stuck. I tried to start from the example called download in poco-1.3.2-ssl/NetSSL_OpenSSL/samples:
>
> a) When the Poco: :Net: :Context is created, it asks the user for the password for the privateKeyFile. Do I really need a privateKeyFile (wget does not seem to need one)? If so, can I prevent this password dialog from taking place?


Unfortunately a pwd is always needed. Maybe we should add some additional context constructor that allows to create a context without that information but we are lacking the time to do so. To prevent the dialog use the KeyFileHandler, which reads the pwd from the config file. Or try creating a privateKeyfile which has no password.

>
> b) Similar question about the caLocation. Can I live without it?

Not yet.

>
> c) When the connection to an HTTPS server is established, the user gets asked if he wants to accept the server certificate. Is there a way around this?

Yes, set the VerificationMode to VERIFY_NONE


>
>
> The HowTo on NetSSL indicates that there are options, but the privateKeyFile, the caLocation and the user interaction always seem to be present.

See above, we need a new Context constructor

>
> The Networking tutorial (FTPClient) indicates that adding HTTPS support to an application rather easy, but the tutorial does not work for https-URLs. It throws an exception:
>
> Null pointer: _pInstance in file "/home/rbock/temp/poco-1.3.2-ssl/Util/include/Poco/Util/Application.h", line 422

This works only with an Poco Util Application (which provides access to the config).
If you don't have a Poco Util Application, you must initialize the contexts by hand
(see download sample).

br

Peter

>
> Regards,
>
> Roland

[guenter]

You might have some success with the following configuration:

Code: Select all


# OpenSSL Configuration
openSSL.server.privateKeyFile = ${application.dir}any.pem
openSSL.server.caConfig = ${application.dir}rootcert.pem
openSSL.server.verificationMode = none
openSSL.server.verificationDepth = 9
openSSL.server.loadDefaultCAFile = false
openSSL.server.cypherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
openSSL.server.privateKeyPassphraseHandler.name = KeyFileHandler
openSSL.server.privateKeyPassphraseHandler.options.password = test
openSSL.server.invalidCertificateHandler = AcceptCertificateHandler

openSSL.client.privateKeyFile = ${application.dir}any.pem
openSSL.client.caConfig = ${application.dir}rootcert.pem
openSSL.client.verificationMode = none
openSSL.client.verificationDepth = 0
openSSL.client.loadDefaultCAFile = false
openSSL.client.cypherList = ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
openSSL.client.privateKeyPassphraseHandler.name = KeyFileHandler
openSSL.client.privateKeyPassphraseHandler.options.password = test
openSSL.client.invalidCertificateHandler.name = AcceptCertificateHandler


[rbock]

> Unfortunately a pwd is always needed. Maybe we should add some additional context constructor that allows to create a context without that information but we are lacking the time to do so. To prevent the dialog use the KeyFileHandler, which reads the pwd from the config file. Or try creating a privateKeyfile which has no password.

Modifying the constructor was a very good idea! I changed the code so that it does not use
privateKeyFile and caLocation if the string length is zero. Seems to work wonderfully (:biggrin:)

I'll post a patch...

Regards,

Roland

[peter]

> > Unfortunately a pwd is always needed. Maybe we should add some additional context constructor that allows to create a context without that information but we are lacking the time to do so. To prevent the dialog use the KeyFileHandler, which reads the pwd from the config file. Or try creating a privateKeyfile which has no password.
>
> Modifying the constructor was a very good idea! I changed the code so that it does not use
> privateKeyFile and caLocation if the string length is zero. Seems to work wonderfully (:biggrin:)

Great!
And I always feared it would take way too much time to fix it :-)


>
> I'll post a patch...
>
> Regards,
>
> Roland