Comments (11)
Perhaps option 1 is the best one for the moment, we use AxTLS, not OpenSSL, and I forget if we are using TLS, perhaps not. In this case, even with a recent cURL library (which we updated not too long ago) we still would not be able to access the data. On the other hand, there is the assumption that SSL should be secure, do you think this is a must?
from nme.
Because of the shortage of IPv4 addresses I think we'll find this becomes more and more common, especially for HTTPS sites with multiple subdomains sharing the same IP. In my case it's preventing me from making encrypted API calls between the app + website altogether.
I believe option 1 is reasonable for my case where I control both the app & website. But for an app that allows the user to open arbitrary URLs it would definitely be a serious security issue. So it might not be a good idea to silently disable SSL verification by default.
Is there an easy way we could make it a property of URLLoader, or project.xml setting or similar?
from nme.
Silly me :)
AxTLS, is, of course, designed for TLS support, so that should mean we need only to ensure that AxTLS has SNI support. Our cURL library should be new enough.
A month ago, someone created a patch for AxTLS with SNI support. Perhaps this would be the best path to look up?
from nme.
This repo seems to have the latest axTLS 1.4.9 with the SNI patch in it:
https://github.com/tessel/runtime/tree/master/deps/axtls
My guess is this needs to go into nme-dev/project/tars/ but I've no idea how to then build the nme-dev libs for all the platforms. Might need a nudge in the right direction with this one :-)
from nme.
OK now I'm the silly one... just read the nme-dev/README :-S Giving it a try.
from nme.
No dice it appears...
The above patch adds SNI support to axTLS, but curl still doesn't know how to use it. We'd need to also patch curl/lib/vtl/axtls.c so curl knows to use SNI with axTLS and also set the hostname via the axTLS patch.
I spent some time looking through the curl code, and it seems I'm way too SSL ignorant to make any sense of it.
I'm guessing there's a good reason (easier portability?) for using axTLS instead if OpenSSL?
from nme.
Looks like:
http://curl.haxx.se/docs/ssl-compared.html
BSD license, very small codebase. Oh, there's always some problem, isn't there? :)
OpenSSL isn't purely off the table, but performance and whether it compiles well and integrates in are important. I've held to "if it ain't broke don't fix it" but maybe it's broke :/
from nme.
Yeah this is a tough one. What do you suggest for the next step? Finding a way to optionally disabled the VERIFYHOST or trying to compile against openssl for all platforms?
from nme.
@bazzisoft Do you still need help with this issue?
from nme.
@thomasuster Not for my project, I used a static IP as a workaround. Still seems worthwhile getting it fixed at some point but it's not urgent for my use case. Thanks for following up!
from nme.
Cool, yea I'd rather close for now until someone has the urge to help this along. Aloha
from nme.
Related Issues (20)
- [QUESTION] How accurate cubicTo method? HOT 2
- Issue with clipboard getdata on Android HOT 2
- Window close events
- Incompatibility with SWF library HOT 4
- Unable to run sample project on Linux HOT 3
- nme setup fails on M1 Mac
- CapabilitiesGetScreenDPI on Mac retina display concern HOT 8
- Video player on android 11 issue HOT 1
- nme build is adding empty `-cp`s
- Build Error: Invalid character: / HOT 3
- nme build neko create an empty output file.
- xcode 14.0.1 NME app hang risk warning
- Cant compile NME for android with latest hxcpp changes
- nmehost download site has been taken over, please do not visit till Hugh has resolved. HOT 1
- ByteArray writeFile doesnt work on iOS
- Android not working? HOT 9
- Exception: ZLib Error : incorrect header check(-3) HOT 1
- linux jsprime HOT 1
- [Windows] TextField does not work properly with input method
- Exception: Code offset miscaculation on gm2d.swf.Font HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nme.