Menu
▾
▴
Re: [Dynapi-Help] secure http
|
From: Leif W <war...@us...> - 2004-05-05 15:00:53
|
----- Original Message -----
From: "Jeremy Wanamaker" <je...@ma...>
To: <dyn...@li...>
Sent: Wednesday, May 05, 2004 10:26 AM
Subject: Re: [Dynapi-Help] secure http
> Leif,
>
> What you have described is exactly what I am trying to do.
>
> > script over HTTPS to get data from a MySQL server. I've used
ioelement
> > to talk to both Perl and PHP scripts, over HTTPS. But in my case,
all
> > these servers are running on the same mahine and I have total
control
>
> Because Mozilla crashes, I'm having a difficult time debugging the
error.
> IE's script debugger says it's crashing in _monitorTransactions in
> ioelement.js. at the following if statement:
>
> elm=this.getScope(r[4]);
> if(elm && elm.document && !elm.document._tranState){
>
> So I'm assuming the getScope function on the previous line is
returning a
> null value. I'm not sure why this would be, and maybe I'm way off
base. The
> only other thing I'm wondering about is if the following lines are
causing a
> problem in _doRequest
>
> if (url.indexOf('http')!=0) {
> if (url.substr(0,1)=='/') url =
> 'http://'+dynapi.frame.document.domain+url;
> else url = dynapi.documentPath+url;
> }
>
> Did you have to change these lines to set the url variable to start
with
> https rather than http?
Ahh, I didn't touch the JavaScript, but maybe you found a bug, I don't
know. It may or may not be the right piece of code we're looking at.
The string 'http' is a subset of 'https', and starts at the exact same
spot, i.e.not 'http' and 'XYZhttps', so that url.indexOf() call should
work, which is why I think it may not be the right line of code, but it
made me think of something.
My Apache server is configured to do SSL only if available, so any HTTP
requests to my site get a permenent redirection to the HTTPS url, so
it's transparent to the browser. But it's probably not a common
scenario on the net in general. ;-) Yours is probably the common case.
Did you try to tweak the lines to look for https in the URL as well?
I'll look at this too.
I'll change my server behaviour not to redirect, and watch the secure
and regular logs, and see if the SSL session tries calling for a file on
port 80. This is what your browser indicates, but I personally like to
see both sides of the story. Check your Server logs too, if possible.
Mine's so low traffic, I just leave 'tail -f *.log', but even if your
server is busy, you could use 'tail -f site*.log | grep
specific_filename', which is some file only you are looking at.
Next, look in the JS files to where the script actually fetches the file
via http, and then just go back from there to see how the URL is built
up. IMO it should be able to take ANY url of ANY form. What if I wrote
my own protocol ABC:// which fetched files from a "file server" or
something. The script should not break because ABC != http.
Leif
P.S. Hmm, I should make my logs into TSV logs. It's very hard to
extract information from specific fields when all you can split on is a
space, and many fields have space within the content. ^^
> Thanks for your help.
>
> Jeremy
>
>
>
> ----- Original Message -----
> From: "Leif W" <war...@us...>
> To: <dyn...@li...>
> Sent: Monday, May 03, 2004 11:22 AM
> Subject: Re: [Dynapi-Help] secure http
>
>
> > Hmm, not sure about that one. But the first part makes sense: you
don't
> > want to start loading insecure data over a secure connection,
because
> > then the data that is loaded is not going to be transmitted
securely,
> > giving the false impression to the user that the entire session is
> > secure. The second part, about the browser going into a loop and
giving
> > an application error, seems like a bug a Doug suggested, but I have
no
> > idea.
> >
> > How are you calling this PHP script? Is there any reason you can't
use
> > a secure URL to the PHP script in the JS code?
> > https://domain.dom/sql.php Then, you are just talking HTTP over a
> > secure connection, and the browser won't know or care what the PHP
> > script does insecurely while talking to the database (which could be
> > another point of concern from the security view). I use a plain PHP
> > script over HTTPS to get data from a MySQL server. I've used
ioelement
> > to talk to both Perl and PHP scripts, over HTTPS. But in my case,
all
> > these servers are running on the same mahine and I have total
control
> > over it, so I know it's configured to work the way I expect. I
haven't
> > tried having the initial web page on one HTTPS server, and calling
the
> > PHP from a separate HTTP/HTTPS server, which may be what you're
doing.
> >
> > If you have control over the database machine, and it's a UNIX box,
you
> > can install a program that enables SSL connections to arbitrary
server
> > programs, with no modification to the server. Two such programs I
am
> > aware of (both use OpenSSL) are stunnel and sslwrap. I'm using
stunnel
> > for SWAT (Samba Web Administration Tool), which doesn't use Apache,
it
> > has it's own web server functionality, but specifically for the task
at
> > hand.
> >
> > Leif
> >
> > ----- Original Message -----
> > From: "Jeremy Wanamaker" <je...@ma...>
> > To: <dyn...@li...>
> > Sent: Monday, May 03, 2004 9:47 AM
> > Subject: Re: [Dynapi-Help] secure http
> >
> >
> > > Sorry, I should have been more specific in my original email. I am
> > using
> > > Dynapi 3 with ioelement.js to get data from a database via php
> > scripts. It
> > > works fine when it's running over http (port 80). When I switch to
> > https
> > > (port 443), Mozilla gives me the following warning:
> > >
> > > Although this page is encrypted, the information you have entered
is
> > to be
> > > sent over an unencrypted connection and could easily be read by a
> > third
> > > party.
> > >
> > > It asks me if wish to continue.... I click yes and then mozilla
goes
> > into a
> > > loop and gets an application error. Any idea on how I can fix
this. I
> > really
> > > need to be able to use secure http for my application.
> > >
> > > Jeremy
> > >
> > > ----- Original Message -----
> > > From: "Leif W" <war...@us...>
> > > To: <dyn...@li...>
> > > Sent: Friday, April 30, 2004 10:08 PM
> > > Subject: Re: [Dynapi-Help] secure http
> > >
> > >
> > > > Work in what way? It should work fine in a general sense. The
> > browser
> > > > handles the connection to the server. The server does not care
what
> > the
> > > > file contents are, they are just static javascript files. The
> > browser
> > > > handles running the JavaScript, the server has no part in this
> > process.
> > > > I have a local copy of CVS with some of my tinkerings in it, so
it's
> > a
> > > > "dirty" copy of the CVS, but it's 99.99% untouched. You can see
it
> > at
> > > > http://dynapi.kicks-ass.net/ , and you'll see, it automatically
> > > > redirects to the secure site. I did most of my work with
IOElement
> > and
> > > > SODA here.
> > > >
> > > > :D Ohh yeah, the site is down right now, as I'm modifying some
> > Apache
> > > > config settings, to get more details in my log files, and I kind
of
> > shut
> > > > the site off and started modifying some live files so I can't
turn
> > it
> > > > back up until the configs are finished. Should be tonight or
> > tomorrow,
> > > > once I am able to finish.
> > > >
> > > > In any case, what are you trying now and what isn't working?
> > > >
> > > > Leif
> > > >
> > > > ----- Original Message -----
> > > > From: "Jeremy Wanamaker" <je...@ma...>
> > > > To: <dyn...@li...>
> > > > Sent: Friday, April 30, 2004 3:35 PM
> > > > Subject: [Dynapi-Help] secure http
> > > >
> > > >
> > > > > Is anyone aware of a way to get DynAPI 3 working with a secure
> > http
> > > > server?
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Jeremy
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > -------------------------------------------------------
> > > > This SF.Net email is sponsored by: Oracle 10g
> > > > Get certified on the hottest thing ever to hit the market...
Oracle
> > 10g.
> > > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > > _______________________________________________
> > > > Dynapi-Help mailing list
> > > > Dyn...@li...
> > > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by: Oracle 10g
> > > Get certified on the hottest thing ever to hit the market...
Oracle
> > 10g.
> > > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > > _______________________________________________
> > > Dynapi-Help mailing list
> > > Dyn...@li...
> > > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> > >
> >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: Oracle 10g
> > Get certified on the hottest thing ever to hit the market... Oracle
10g.
> > Take an Oracle 10g class now, and we'll give you the exam FREE.
> > http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> > _______________________________________________
> > Dynapi-Help mailing list
> > Dyn...@li...
> > https://lists.sourceforge.net/lists/listinfo/dynapi-help
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle
10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Dynapi-Help mailing list
> Dyn...@li...
> https://lists.sourceforge.net/lists/listinfo/dynapi-help
>
|
