Hello.
Now we are looking for cross-platform SDK for mobile business applications.
While investigating Corona SDK we met issue: there is no possibility to deal with HTTPS servers that use “untrusted” certificates (e.g. self signed)
So, question is: can Corona SDK provide connectivity support to such servers or not?
Thanks.
I’ll ask.
toshik - it doesn’t look like we plan on supporting this soon.
Can you explain your scenario and why this would be helpful?
Well, we are developing application for controlling some server software, that software provides API through HTTPS requests.
Application users should be able to use their own deployed server instances, and, usually most of them do not buy SSL certificates for it and uses self-signed.
So, in that case application will be not useful for most of people, because Corona can not simply pass SSL check…
toshik - understood, thank you for the feedback. We’ll see if we can add this to the roadmap soon. Can you also add/vote for it here? http://feedback.coronalabs.com
I’ll ask.
toshik - it doesn’t look like we plan on supporting this soon.
Can you explain your scenario and why this would be helpful?
Well, we are developing application for controlling some server software, that software provides API through HTTPS requests.
Application users should be able to use their own deployed server instances, and, usually most of them do not buy SSL certificates for it and uses self-signed.
So, in that case application will be not useful for most of people, because Corona can not simply pass SSL check…
toshik - understood, thank you for the feedback. We’ll see if we can add this to the roadmap soon. Can you also add/vote for it here? http://feedback.coronalabs.com
As a bit of bump, this would be very useful for me and other people using Amazon (and similar services) as a content delivery network for apps.
The way Amazon’s CloudFront service works is that you load images or content by making an in-app connection to cdn.example.com, which may be a DNS alias for drj6nl5tupx60.cloudfront.net (not an actual AWS hostname). Amazon will generate a cache hit or miss and, if not cached, connect to your example.com servers.
The ideal way to do this is to generate an SSL certificate for the CloudFront distribution, but Amazon charges you $7,200 per year for that privilege: http://aws.amazon.com/cloudfront/pricing/
So if you want to load images from cdn.example.com via SSL without giving Amazon $7,200 a year, there will be an invalid certificate chain error.
This is a clear case where it would be useful for Corona SDK to support bypassing certificate checks for use in real-world production environments. Any idea when it will happen?
I will bring this up to Engineering again, but I’m not sure where this will end up in the priorities of other things we have to get done.
Rob
Thanks, Rob.
FYI here’s a Hacker News discussion thread today on this topic:
https://news.ycombinator.com/item?id=6948068
One participant suggested this: “Wouldn’t it be better to be able to specify a set of accepted key fingerprints, instead of bypassing security checks altogether? Outright bypassing security checks will make MITM too easy.”
As a bit of bump, this would be very useful for me and other people using Amazon (and similar services) as a content delivery network for apps.
The way Amazon’s CloudFront service works is that you load images or content by making an in-app connection to cdn.example.com, which may be a DNS alias for drj6nl5tupx60.cloudfront.net (not an actual AWS hostname). Amazon will generate a cache hit or miss and, if not cached, connect to your example.com servers.
The ideal way to do this is to generate an SSL certificate for the CloudFront distribution, but Amazon charges you $7,200 per year for that privilege: http://aws.amazon.com/cloudfront/pricing/
So if you want to load images from cdn.example.com via SSL without giving Amazon $7,200 a year, there will be an invalid certificate chain error.
This is a clear case where it would be useful for Corona SDK to support bypassing certificate checks for use in real-world production environments. Any idea when it will happen?
I will bring this up to Engineering again, but I’m not sure where this will end up in the priorities of other things we have to get done.
Rob
Thanks, Rob.
FYI here’s a Hacker News discussion thread today on this topic:
https://news.ycombinator.com/item?id=6948068
One participant suggested this: “Wouldn’t it be better to be able to specify a set of accepted key fingerprints, instead of bypassing security checks altogether? Outright bypassing security checks will make MITM too easy.”
Rob any news on this?
Rob any news on this?
BUMP
Any news on this?