network.request() and SSL self-signed certificates

Solar2D Daily Builds and Public Releases
#1

Hello everyone,

Yesterday I configured Apache on my server to use HTTPS/SSL encryption. Currently, for development purposes, it is using self-signed certificates, with the server itself being the Certificate Authority.

This works fine with every desktop browser I’ve tested so far (Firefox, IE, Safari), albeit with a warning. However, there doesn’t appear to be a way with Corona to trust the certificate from my server, aside from bringing up the browser.

event.error prints this:
[text]The certificate for this server is invalid. You might be connecting to a server that is pretending to be “MYWEBSITE” which could put your confidential information at risk.[/text]

Two questions:

  1. Are there any parameters to trust/allow these “invalid” self-signed certificates?
  2. If not, is there a different method besides network.request() and native.showWebPopup() that can be used for the web service?

Any help would be greatly appreciated!
Paul [import]uid: 3027 topic_id: 28137 reply_id: 328137[/import]

#2

Hi Paul,

I’ve spent quite a lot of time working with the Corona networking API, but I’m by no means an expert on the subject.

  1. I haven’t seen or found any way to force Corona to trust the self-signed certificate.
  2. As far as I know the only other way to make web requests would be to use Lua Socket, but that doesn’t appear to support HTTPS at all.

I do have another suggestion though, why not just get a free SSL certificate. It might be worth checking out StartSSL.

Ali [import]uid: 10499 topic_id: 28137 reply_id: 113712[/import]

#3

Just a note in case it’s useful to someone, I got this error from my corona app on two separate iPhone 3GS devices both running iOS 4.3.5 - but not on any other configuration I tried.

It took a while to figure out why the game was crashing on just iPhone 3GS, and not 3G/4/4S or android, and I’m still not sure why I get that error. The service I’m connecting to does not use self-signed certs, so I have no idea whats going on.

It would be nice to have a trust/allow option to get around this problem on the 3GS. (or maybe it’s an iOS 4.3.5 issue?)

-Angelo
[import]uid: 12822 topic_id: 28137 reply_id: 113727[/import]

#4

Ali, thank you for the quick response! It was extremely helpful and significantly sped up debugging.

Your suggestion for StartSSL looks like a viable option, and we will certainly look into using that when we’re closer to finished. At the moment, since we’re not production ready, we’ve just reverted back to regular HTTP to continue development and will implement the certificates later. This was more of a “proof of concept” test than something we needed right away.

As a side note, it would be nice to get an official response on the subject. :slight_smile: As Angelo said, there may be cases where we need to force the trust of a security certificate, whether due to bugs or the case of self-signing.

Are there any plans to implement a forced certificate trust option in Corona SDK?

[import]uid: 3027 topic_id: 28137 reply_id: 114608[/import]