flex-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Doug Pierce (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (FLEX-23755) SecureSocket in AIR 2.0 is not suitable for development and/or production use due to the need of a valid server certificate
Date Wed, 09 Sep 2015 21:21:45 GMT

    [ https://issues.apache.org/jira/browse/FLEX-23755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14737598#comment-14737598

Doug Pierce commented on FLEX-23755:

Any work around for this?  Would love to develop something using SecureSocket, but as tom_h
said, that's not suitable for development purposes.  Have SecureSocket support a development
self-signed cert and all will be good.

> SecureSocket in AIR 2.0 is not suitable for development and/or production use due to
the need of a valid server certificate
> ---------------------------------------------------------------------------------------------------------------------------
>                 Key: FLEX-23755
>                 URL: https://issues.apache.org/jira/browse/FLEX-23755
>             Project: Apache Flex
>          Issue Type: Bug
>          Components: .Unspecified - Framework
>    Affects Versions: Adobe Flex SDK 4.1 (Release)
>         Environment: Affected OS(s): All OS Platforms
> Affected OS(s): All OS Platforms
> Language Found: English
>            Reporter: Adobe JIRA
> First of all, is this the right place to report issues in prereleases of AIR 2.0?
> Steps to reproduce:
> 1. Try to use SecureSocket with a self-signed certificate (during development) or exisiting
production servers which are not under the developers control (google talk)
> 2. Listen for IOErrorEvent.IO_ERROR on the SecureSocket
> 3. Trace the value of the "certificateStatus" property in the IOErrorEvent
>  Actual Results:
> The "certificateStatus" property in the IOErrorEvent will always indicate a value of
invalidity (see http://help.adobe.com/en_US/FlashPlatform/beta/reference/actionscript/3/flash/security/CertificateStatus.html).
> It is very common to have self-signed certificates during development. This restrictions
of SecureSocket makes development and testing of according services impossible.
> In addition, a lot of services on the internet do not present valid certificates. For
instance it is not possible to connect to Google Talk XMPP Servers on talk.google.com as the
certificate has a diffrent CN. Of course, the developer won't be able to change existing certificates
on third party servers.
>  Expected Results:
>  It should be possible to utilize SecureSocket even if the certificate is "invalid".
I do suggest additional properties of SecureSocket:
> - to allow the use of self-signed certificates
> - specify the actual CN that is going to be presented in the certificate
> - possibly allow even more conditions to allow development interim
>  Workaround (if any):
> - Do not use SecureSocket. The irony of this "workaround" is that things will be as insecure
as without the availabilty of SecureSocket.
> - Use "as3crypto" (http://code.google.com/p/as3crypto/). While this solution is inefficient
in terms of performance developers have to take care of it's bugs and flaws.
> Please, refine SecureSocket previous to the release of AIR 2.0. Thank you!

This message was sent by Atlassian JIRA

View raw message