Welcome to the Second Life Forums Archive

These forums are CLOSED. Please visit the new forums HERE

SSL Cert Not Recognized
Lucifer Lockjaw
Registered User
Join date: 27 Sep 2007
Posts: 7
04-22-2009 13:16
I'm running into a problem accessing a site I control using SSL from llHTTPRequest(). Accessing the site with certificate checking turned off works, whereas it fails if the certificate is checked. The certificate is a goDaddy "standard" cert which is recognized by Firefox, IE, Safari and Konqueror. The following code illustrates the problem:

From: someone
string baseURL1 = "https://www.wellsfargo.com";
string baseURL2 = "https://www.fonmeta.com";
key Q1;
key Q2;
key Q3;

default
{

touch_start(integer total_number)
{
Q1=llHTTPRequest( baseURL1, [HTTP_METHOD,"GET"],"";);
Q2=llHTTPRequest( baseURL2, [HTTP_METHOD,"GET"],"";);
Q3=llHTTPRequest( baseURL2, [HTTP_METHOD,"GET",HTTP_VERIFY_CERT,FALSE],"";);

}

http_response(key quid, integer status, list metadata, string body)
{
string baseURL;

if(quid == Q1)
baseURL = baseURL1;
else if (quid == Q2)
baseURL = baseURL2;
else if (quid == Q3)
baseURL = baseURL2+" with cert checking disabled";
else
baseURL = "WTF??";

if(status == 499)
llOwnerSay("Request to "+baseURL+" timed out";);
else if (status != 200)
llOwnerSay("Unexpected HTTP response "+(string)status);
else
llOwnerSay("normal response from "+baseURL);
}
}




Output follows:

[18:32] Object: Request to https://www.fonmeta.com timed out
[18:32] Object: normal response from https://www.wellsfargo.com
[18:32] Object: normal response from https://www.fonmeta.com with cert checking disabled

A "standard" cert from goDaddy merely attests that the owner controls the domain in question. That is, no identity testing beyond a response to email directed to the domain administrative address is done. If that's an issue, it certainly isn't documented anywhere, and I want LL to pay for the cert. (I'm not holding my breath on that one.)
Papalopulus Kobolowski
working mind
Join date: 11 Aug 2006
Posts: 326
04-22-2009 13:28
try this

HTTP_VERIFY_CERT

integer boolean
If TRUE, the server SSL certificate must be verifiable using one of the standard certificate authorities when making HTTPS requests. If FALSE, any server SSL certificate will be accepted



http://wiki.secondlife.com/wiki/HTTP_VERIFY_CERT
_____________________


RAW terrain files - terraform your SIM!!
http://www.wishland.info/
PD:the wiki its your friend ;)
http://wiki.secondlife.com/wiki/LSL_Portal
Void Singer
Int vSelf = Sing(void);
Join date: 24 Sep 2005
Posts: 6,973
04-22-2009 23:28
could be that fonmeta is checking cert unless explicitly told not to?
_____________________
|
| . "Cat-Like Typing Detected"
| . This post may contain errors in logic, spelling, and
| . grammar known to the SL populace to cause confusion
|
| - Please Use PHP tags when posting scripts/code, Thanks.
| - Can't See PHP or URL Tags Correctly? Check Out This Link...
| -
Lucifer Lockjaw
Registered User
Join date: 27 Sep 2007
Posts: 7
04-23-2009 02:02
I'm not sure what you mean by this. fonmeta is running Apache and is not checking client certs. The problem is with SL not validating the server's certificate when asked to (as per default.)

It's a specific certificate just for www.fonmeta.com, though I doubt that matters.
Lucifer Lockjaw
Registered User
Join date: 27 Sep 2007
Posts: 7
04-23-2009 09:47
Another factoid: accessing https://www.godaddy.com works just fine. Presumably that site uses the same root cert mine does.