[slscripters] llHTTPRequest("https://...") + SNI = status 499?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

[slscripters] llHTTPRequest("https://...") + SNI = status 499?

Jessica Stein
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Darien Caldwell-3
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters


_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Darien Caldwell-3
You may want to try getting Kelly at his office hours:  https://wiki.secondlife.com/wiki/Linden_Lab_Official:User_Groups
 
                  - Dari

On Thu, Feb 23, 2012 at 6:25 PM, Darien Caldwell <[hidden email]> wrote:
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Kelly Linden
HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:

CURLOPT_SSL_VERIFYPEER

This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

When negotiating a SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.

When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.

Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST to control that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:


CURLOPT_SSL_VERIFYHOST

This option determines whether libcurl verifies that the server cert is for the server it is known as.

When negotiating a SSL connection, the server sends a certificate indicating its identity.

When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the server is the server to which you meant to connect, or the connection fails.

Curl considers the server the intended one when the Common Name field or a Subject Alternate Name field in the certificate matches the host name in the URL to which you told Curl to connect.

When the value is 1, the certificate must contain a Common Name field, but it doesn't matter what name it says. (This is not ordinarily a useful setting).

When the value is 0, the connection succeeds regardless of the names in the certificate.

The default value for this option is 2.

Hope this helps. The above was from: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html

 - Kelly


On Mon, Feb 27, 2012 at 8:08 AM, Darien Caldwell <[hidden email]> wrote:
You may want to try getting Kelly at his office hours:  https://wiki.secondlife.com/wiki/Linden_Lab_Official:User_Groups
 
                  - Dari

On Thu, Feb 23, 2012 at 6:25 PM, Darien Caldwell <[hidden email]> wrote:
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Darien Caldwell-3
So if I interpret that correctly, HTTP_VERIFY_CERT simply gives unauthenticated certificates a pass. But the CURLOPT_SSL_VERIFYHOST being set to 2 still requires that the certificate must point to the originating server.  In short, SNI scenarios won't work.  Thanks Kelly.
 
                   - Dari

On Mon, Feb 27, 2012 at 8:34 AM, Kelly Linden <[hidden email]> wrote:
HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:

CURLOPT_SSL_VERIFYPEER

This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

When negotiating a SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.

When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.

Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST to control that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:


CURLOPT_SSL_VERIFYHOST

This option determines whether libcurl verifies that the server cert is for the server it is known as.

When negotiating a SSL connection, the server sends a certificate indicating its identity.

When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the server is the server to which you meant to connect, or the connection fails.

Curl considers the server the intended one when the Common Name field or a Subject Alternate Name field in the certificate matches the host name in the URL to which you told Curl to connect.

When the value is 1, the certificate must contain a Common Name field, but it doesn't matter what name it says. (This is not ordinarily a useful setting).

When the value is 0, the connection succeeds regardless of the names in the certificate.

The default value for this option is 2.

Hope this helps. The above was from: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html

 - Kelly



On Mon, Feb 27, 2012 at 8:08 AM, Darien Caldwell <[hidden email]> wrote:
You may want to try getting Kelly at his office hours:  https://wiki.secondlife.com/wiki/Linden_Lab_Official:User_Groups
 
                  - Dari

On Thu, Feb 23, 2012 at 6:25 PM, Darien Caldwell <[hidden email]> wrote:
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters




_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Montavious Peccable
The way I read it, with HTTP_VERIFY_CERT set and CURLOPT_SSL_VERIFYHOST not set, the cert must be valid but need not be for the "right" host. That's a little looser than SNI as I understand it, but should enable your cert to work. Or did I miss something?

Rick

On Feb 27, 2012, at 8:39 PM, Darien Caldwell <[hidden email]> wrote:

So if I interpret that correctly, HTTP_VERIFY_CERT simply gives unauthenticated certificates a pass. But the CURLOPT_SSL_VERIFYHOST being set to 2 still requires that the certificate must point to the originating server.  In short, SNI scenarios won't work.  Thanks Kelly.
 
                   - Dari

On Mon, Feb 27, 2012 at 8:34 AM, Kelly Linden <[hidden email]> wrote:
HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:

CURLOPT_SSL_VERIFYPEER

This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

When negotiating a SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.

When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.

Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST to control that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:


CURLOPT_SSL_VERIFYHOST

This option determines whether libcurl verifies that the server cert is for the server it is known as.

When negotiating a SSL connection, the server sends a certificate indicating its identity.

When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the server is the server to which you meant to connect, or the connection fails.

Curl considers the server the intended one when the Common Name field or a Subject Alternate Name field in the certificate matches the host name in the URL to which you told Curl to connect.

When the value is 1, the certificate must contain a Common Name field, but it doesn't matter what name it says. (This is not ordinarily a useful setting).

When the value is 0, the connection succeeds regardless of the names in the certificate.

The default value for this option is 2.

Hope this helps. The above was from: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html

 - Kelly



On Mon, Feb 27, 2012 at 8:08 AM, Darien Caldwell <[hidden email]> wrote:
You may want to try getting Kelly at his office hours:  https://wiki.secondlife.com/wiki/Linden_Lab_Official:User_Groups
 
                  - Dari

On Thu, Feb 23, 2012 at 6:25 PM, Darien Caldwell <[hidden email]> wrote:
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters

_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Darien Caldwell-3
Montavious, I think your interpretation is correct. However, I get the impression that LL has the CURLOPT_SLL_VERIFYHOST set to it's default, which is 2.  Kelly didn't actually state this, but his pointing out that HTTP_VERIFY_CERT doesnt' modify it would indicate that.
 
            - Dari

On Mon, Feb 27, 2012 at 7:11 PM, Montavious Peccable <[hidden email]> wrote:
The way I read it, with HTTP_VERIFY_CERT set and CURLOPT_SSL_VERIFYHOST not set, the cert must be valid but need not be for the "right" host. That's a little looser than SNI as I understand it, but should enable your cert to work. Or did I miss something?

Rick

On Feb 27, 2012, at 8:39 PM, Darien Caldwell <[hidden email]> wrote:

So if I interpret that correctly, HTTP_VERIFY_CERT simply gives unauthenticated certificates a pass. But the CURLOPT_SSL_VERIFYHOST being set to 2 still requires that the certificate must point to the originating server.  In short, SNI scenarios won't work.  Thanks Kelly.
 
                   - Dari

On Mon, Feb 27, 2012 at 8:34 AM, Kelly Linden <[hidden email]> wrote:
HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:

CURLOPT_SSL_VERIFYPEER

This option determines whether curl verifies the authenticity of the peer's certificate. A value of 1 means curl verifies; 0 (zero) means it doesn't.

When negotiating a SSL connection, the server sends a certificate indicating its identity. Curl verifies whether the certificate is authentic, i.e. that you can trust that the server is who the certificate says it is. This trust is based on a chain of digital signatures, rooted in certification authority (CA) certificates you supply. curl uses a default bundle of CA certificates (the path for that is determined at build time) and you can specify alternate certificates with the CURLOPT_CAINFO option or the CURLOPT_CAPATH option.

When CURLOPT_SSL_VERIFYPEER is nonzero, and the verification fails to prove that the certificate is authentic, the connection fails. When the option is zero, the peer certificate verification succeeds regardless.

Authenticating the certificate is not by itself very useful. You typically want to ensure that the server, as authentically identified by its certificate, is the server you mean to be talking to. Use CURLOPT_SSL_VERIFYHOST to control that. The check that the host name in the certificate is valid for the host name you're connecting to is done independently of the CURLOPT_SSL_VERIFYPEER option.

Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:


CURLOPT_SSL_VERIFYHOST

This option determines whether libcurl verifies that the server cert is for the server it is known as.

When negotiating a SSL connection, the server sends a certificate indicating its identity.

When CURLOPT_SSL_VERIFYHOST is 2, that certificate must indicate that the server is the server to which you meant to connect, or the connection fails.

Curl considers the server the intended one when the Common Name field or a Subject Alternate Name field in the certificate matches the host name in the URL to which you told Curl to connect.

When the value is 1, the certificate must contain a Common Name field, but it doesn't matter what name it says. (This is not ordinarily a useful setting).

When the value is 0, the connection succeeds regardless of the names in the certificate.

The default value for this option is 2.

Hope this helps. The above was from: http://curl.haxx.se/libcurl/c/curl_easy_setopt.html

 - Kelly



On Mon, Feb 27, 2012 at 8:08 AM, Darien Caldwell <[hidden email]> wrote:
You may want to try getting Kelly at his office hours:  https://wiki.secondlife.com/wiki/Linden_Lab_Official:User_Groups
 
                  - Dari

On Thu, Feb 23, 2012 at 6:25 PM, Darien Caldwell <[hidden email]> wrote:
I suspect Kelly Linden would be the one to know the answer to this.
 
Calling Kelly, where are you? :)

On Wed, Feb 22, 2012 at 12:08 PM, Jessica Stein <[hidden email]> wrote:
I have been trying to connect to my server securely using SSL but it always results in status 499.

It occurred to me that llHTTPRequest() may not support SNI http://en.wikipedia.org/wiki/Server_Name_Indication

In which case it may be receiving a certificate for the wrong domain and rejecting it because of the domain mismatch despite setting HTTP_VERIFY_CERT to FALSE.

The questions are:
Does llHTTPRequest() support SNI?
If not, can it?
Does HTTP_VERIFY_CERT only disable verifying the Certificate Authority?
If so, should it also disable domain checks, expiry or should there be another setting to disable that?
Can the 499 status be divided into different numbers to clarify what the failure was or there be a way of getting more error information? (maybe in the body)

Can the documentation be clarified to address whatever the situation may be?


Here is a piece of failing code:

string URL = "https://buysensations.com/name2key.php";
string avname = "Amethyst Rosencrans";
key requestkey;


default
{
    state_entry()
    {
        requestkey = llHTTPRequest(URL,[HTTP_VERIFY_CERT,FALSE,HTTP_METHOD,"POST"],"s=people&q=" + llEscapeURL(avname));
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if(requestkey == request_id)
        {
            llOwnerSay("Status " + (string)status + " Body: " + body);
        }
    }
}

Thanks,

Jessica
_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters


_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Jessica Stein
In reply to this post by Kelly Linden
Kelly,

What version of curl do the simulators have?  According to wikipedia this version of curl supports SNI:

libcurl / cURL since 7.18.1 (released 30 Mar 2008) when compiled against an SSL/TLS toolkit with SNI support

If the curl supports SNI it should get a certificate for the correct domain.

Jessica


From: Kelly Linden <[hidden email]>
To: Darien Caldwell <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Monday, February 27, 2012 10:34 AM
Subject: Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:
Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Kelly Linden
We use a later version than that.

 - Kelly

On Wed, Feb 29, 2012 at 7:00 PM, Jessica Stein <[hidden email]> wrote:
Kelly,

What version of curl do the simulators have?  According to wikipedia this version of curl supports SNI:

libcurl / cURL since 7.18.1 (released 30 Mar 2008) when compiled against an SSL/TLS toolkit with SNI support

If the curl supports SNI it should get a certificate for the correct domain.

Jessica


From: Kelly Linden <[hidden email]>

To: Darien Caldwell <[hidden email]>
Cc: "[hidden email]" <[hidden email]>
Sent: Monday, February 27, 2012 10:34 AM

Subject: Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

HTTP_VERIFY_CERT flag controls the CURLOPT_SSL_VERIFYPEER option given to curl for the request:
Of note it does not modify the CURLOPT_SSL_VERIFYHOST option:




_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters
Reply | Threaded
Open this post in threaded view
|

Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

Jessica Stein
What about the SSL/TLS stuff does it support SNI? can we tell what error is causing the 499? I am just speculating that it is the lack of SNI support that is causing the failure.

Jessica


From: Kelly Linden <[hidden email]>
To: Jessica Stein <[hidden email]>
Cc: Darien Caldwell <[hidden email]>; "[hidden email]" <[hidden email]>
Sent: Wednesday, February 29, 2012 11:36 PM
Subject: Re: [slscripters] llHTTPRequest("https://...") + SNI = status 499?

We use a later version than that.



_______________________________________________
Click here to unsubscribe or manage your list subscription:
https://lists.secondlife.com/cgi-bin/mailman/listinfo/secondlifescripters