HTTPGet request – secure requests
hi Chris:
I was pretty sure that https came with Studio 5. Page 94 of the documentation says:
Support for secure connections using SSL has been added to the existing package of web commands. In addition, there is a new set of commands that allow you to communicate with an IMAP email server.
The HTTP, FTP, SMTP and POP3 client commands that establish a connection to a server all have two new arguments, which control if and how a secure connection is used.
The new and updated Web Commands are summarized here and described in more detail in the reference section at the end of this manual.
so, why does one web site work and the other not — I suspect it because the web site still supports plain http.
also, BE WARNED (in a friendly way) that connecting to a secure web site via HTTPS is not always possible — even if you can connect to other secure web sites via HTTPS.
WHY? connecting depends on the protocol that the web site supports and what your HTTPS client can do.
Studio 5.2.3 can talk to sites that enable SSL1, SSL2 and SSL3 (all of which are compromised) but could not talk to sites that require TLS 1.0 and up. The only really secure transport mechanism these days is TLS 1.2. Thus you will find that more and more commerce sites only support TLS 1.2.
the practical effect of this can be seen as follows:
– safari on OSX 10.8.5 and earlier cannot talk TLS 1.2
– windows exploder (early versions) have issues.
– Studio 5.2.3 cannot talk to sites that only support SSL transport.
– studio 6 web enabler components can talk to TLS 1.2 and thats because the web enabler components were changed to support the operating system’s built in version of openSSL.
This I know for 100% certainty because we ran into some pretty limiting issues talking to credit card sites via HTTPS a few years ago because the PCI people required TLS 1.1 and up. The fantastic folks at Omnis helped out with a workaround as part of the ODPP program. as I recall, it was possible for us to use Studio 6 (windows) web enablers with Studio 5 windows (but not studio 4 — don’t try it). and on OSX, a little hackery with otools and some symlinks let us point Studio 5 to the built in OSX versions of SSL which supported TLS.
Meaning, it is possible with a bunch of work to make studio 5 talk to all current web sites via https. The more advisable route is more recent versions of Studio.
bottom line
if you MUST use HTTPS, you NEED Studio 5 at a minimum (Kelly’s TCPTalk can also do SSL)
it you MUST use HTTPS and NEED to talk to web sites that only support TLS 1.0 and up you NEED Studio 6 at a minimum (which means go all the way to Studio 8.1)
you may also need to install OPENSSL on windows. We use slproweb.com/products/Win32OpenSSL.html <slproweb.com/products/Win32OpenSSL.html> when required as part of our Studio 5 installers. The actual version we install is slproweb.com/download/Win32OpenSSL-1_1_0g.exe <slproweb.com/download/Win32OpenSSL-1_1_0g.exe>
Finally a FANTASTIC TOOL to find out how much crap you are in is to use the web site www.ssllabs.com/ssltest/
this tool will scan a web site for you and tell you what versions of SSL (eg SSL v1 through v3, TLS 1.0 through 1.3) the web it supports, the cipher suites, what browsers it supports and a whole lot of things.
we literally use this tool daily to:
– scan hundreds of our customer web sites with Nagios to find out when their certificates expire and if they’ve put holes in their firewalls that shouldn’t be there.
– to point out to customers why their patrons cannot buy online with Internet Exploder 6 on win XP (it doesn’t support TLS 1.x)
– and to coach them about PCI security and proper web site certificates
hope that helps.
use Qualys to find out what the web site supports and that will tell you how deep the pile of poop you are in.
Doug Easterbrook
Arts Management Systems Ltd.
mailto:doug@artsman.com
www.artsman.com
Phone (403) 650-1978
see you at the third annual users conference
tickets.proctors.org/TheatreManager/95/online?performance=29086 <tickets.proctors.org/TheatreManager/95/online?performance=29086>
> On Dec 27, 2017, at 2:04 AM, Chris Webb <Chris.Webb@catalina-software.co.uk> wrote:
>
> Hi Doug,
>
> Thanks for the reply.
>
> We are currently running 2 projects both of which download binary content from a https:// address at the end of data processing.
>
> The thing is, using the HTTP automation object for one works without issue and the other returns the aforementioned SSL issue. Which I assume is more likely related to the settings at their end (one is probably less strict than the other) rather than being an Omnis based issue…
>
> Sounds like our system upgrade can’t come soon enough 😊
>
> Hope you and yours had a great couple of days over the Christmas period… back to the grind stone today for me.
>
> Kind Regards
>
> Chris
>
> From: Doug Easterbrook [mailto:doug@artsman.com
> Sent: 22 December 2017 19:02
> To: OmnisDev List – English <omnisdev-en@lists.omnis-dev.com <mailto:omnisdev-en@lists.omnis-dev.com>>
> Cc: Chris Webb <Chris.Webb@catalina-software.co.uk <mailto:Chris.Webb@catalina-software.co.uk>>
> Subject: Re: HTTPGet request – secure requests
>
> hi Chris:
>
> you can’t use https with studio 4 — doesn’t work. the feature I think was new to studio 5.
>
> Doug Easterbrook
> Arts Management Systems Ltd.
> mailto:doug@artsman.com <mailto:doug@artsman.com>
> www.artsman.com <www.artsman.com/>
> Phone (403) 650-1978
>
>
>
>
> see you at the third annual users conference
> tickets.proctors.org/TheatreManager/95/online?performance=29086 <tickets.proctors.org/TheatreManager/95/online?performance=29086>
>
>
> On Dec 22, 2017, at 9:34 AM, Chris Webb via omnisdev-en <omnisdev-en@lists.omnis-dev.com <mailto:omnisdev-en@lists.omnis-dev.com>> wrote:
>
> Hi All,
> Using Omnis 4.3 (not for much longer though).
> Trying to access a secure url to download a file using the HTTP automation object but are getting an SSL error response.
> So, tried using the HTTPGet request and this returns a HTTP 301 Moved Permanently response. Now I think this is because it is not actually doing a request goes to http and tries to redirect to secure (which it can’t).
> Then added the optional parameters for port (443) and get the response ‘The plain HTTP request was sent to HTTPS port’.
> Then added the parameter for secure as kTrue and it wouldn’t even open a socket.
> Any thoughts on how to get secure request working through HTTPGet?
> Thank in advance.
> Chris
> _____________________________________________________________
> Manage your list subscriptions at lists.omnis-dev.com <lists.omnis-dev.com/>
_____________________________________________________________
Manage your list subscriptions at lists.omnis-dev.com
