AltME groups: search

No, I think Kaj produced a Curl binding for https

Got it working through SSH instead of HTTPS. I spent a whole day 
setting up GitHub to be able to fork and push Red contributions

Just some additional notes to the Android release. It also contains 
the latest version of TLS scheme including supported ciphersuites. 
And there is updated HTTP/HTTPS scheme which should be more stable 
and handle network timeouts in better way.

R3/Saphir OSX Version updated, should now have working HTTPS scheme.

Hi Doc, it is a great piece of code! Thanks a lot.
in readme file it says:

http://raw.github.com/dockimbel/printer-driver/master/printer-scheme.r

but it doesn't work. I think it should be https instead of http, 
then it works:

https://raw.github.com/dockimbel/printer-driver/master/printer-scheme.r

@Robert, is https now working on r3/Droid ?

or rather system/schemses/https/timeout

this works, the other two do not

 system/schemes/default/timeout: 0:01:10
 ;system/schemes/http/timeout: 0:01:10
;system/schemes/https/timeout: 0:01:10

Basically the http protocol sees a redirect eg. from http:// google 
to https google and complains.

Amazon now insists that soap requests use https so back to using 
their REST protocol

Cyphre, how much work would it take to get https in ?  I see that 
you have tls now

Graham, you can use HTTPS now. We don't support all cipher algos 
yet but it should work with most HTTPS connections.


We are currently looking into geting more cipher algos implemented. 
Than all HTTPS things should work.

I can probe system/schemes/tls and /https

Graham, the TLS protocol scheme works transparently on tcp ports. 
So you just need to change the port/scheme from 'tcp to 'tls and 
you have the tcp connection secured. Then you can build any higher-level 
protocol over it. Having made the TLS scheme transparent I needed 
to make only few minor changes to the Gabriele's HTTP scheme to be 
able support HTTPS as well.

BTW getting the TLS/HTTPS to run on Android proves that our solution 
is good and can be easily used in crossplatform way. No need for 
any OpenSSL-like bloat anymore in R3 ;)

Great news on all the crypto/TLS/HTTPS stuff guys!

Is there a problem with google generating images with a https website? 
 You'll get all those annoying messages about mixed content

It's not, but most of the time (at least, here in France), corporates 
allow only HTTP/HTTPs traffic (and sometimes FTP).

And you can use https if you wish too.

rambo'd https posting bug.

what happened to my https rambo report ?? :(

If it matters, I am accessing an Outlook Web Access site, https scheme, 
with /Command.

Try  host: "..."  scheme: 'https ...    my mistake.

https authentication.  No experience.  Sorry.

Brian,

    read/custom [scheme: 'https host: "server" path: "path/to/stuff" 
    user: "username" pass: "password"]

works. I don't need to recreate the port scheme, as it does that 
secure: true in its code. I get the same error with Microsoft's VBScript 
fix. I think it's something server-side. Thanks for the help with 
the syntax though - it's been a while.

There is a system/schemes/http/timeout field    probably the same 
for https

Is there an async https protocol in the offing?

mine works with both http and https

You might be thinking of one of these:
>> first system/schemes

== [self default Finger Whois Daytime SMTP ESMTP POP IMAP HTTP FTP 
NNTP HTTPS]

I'm no security expert either, that's why I was asking!  But I guess 
I am just saying that native programs don't seem to be to me in the 
long run a security benefit over a web-based one... thus I'd take 
security out of the argument for why REBOL/View would be better than 
REBOL/WebView.  It could be made to use https out of the box, I guess..

You really have to trust your source when using JSON to a browser 
though. Standard usage is to load with eval - only safe to use on 
https sites because of script injection.

Any SSH / OpenVPN experts here? I have a little strange problem. 
I run my SSHD on port 443, so that I can connect to it via a HTTPS 
proxy. Than I use "dynamic portforwarding" to tunnel all kind of 
applications through the SSH connect.

Anyone has any recommandations how to setup linux for top security 
.. I have closed all ports except http https while ssh is limited 
to my static IP address. I have intergrity detection (tripwire that 
runs once per day and reports me all the changed files). Doc recommended 
Snort .. does using snort make sense in such setup where only those 
2 / 3 ports are open? I suspect snort detects attacks at realtime. 
I want some realtime thing also because once per day for detecting 
attacks is basically much much too late.

unless you have specific needs (like https) I really suggest you 
take an hour and look into it.  it might change how you build all 
of your rebol web stuff... better sooner than later no?

I have a problem with HTTPS over a proxy. I'm using REBOL/Command 
2.5.6.3.1, that came with our SDK. This version first need the HTTPS 
protocol to be activated using this code:


net-utils/net-install HTTPS make system/schemes/http/handler [] 443

system/schemes/https: make system/schemes/https [user-agent: reform 
["REBOL" system/product system/version]]

I activated trace by typing: trace/net on

Our proxy is set up ok, as I can read the internet with a browser 
using it (both HTTP and HTTPS).
Now if I in REBOL do this:

>> s: read https://webservices.rki.dk

I get:

URL Parse: none none webservices.rki.dk none none none
Net-log: ["Opening" "ssl" "for" "HTTPS"]
connecting to: webservices.rki.dk
Net-log: {CONNECT webservices.rki.dk:443 HTTP/1.1
Host: webservices.rki.dk:443

}
Net-log: "HTTP/1.0 200 Connection established"
Net-log: {GET https://webservices.rki.dk:443/ HTTP/1.0
Accept: */*
Connection: close
User-Agent: REBOL Command 2.5.6.3.1
Host: webservices.rki.dk:443
}
Net-log: none

** User Error: Error.  Target url: https://webservices.rki.dk:443/ 
could not be
retrieved.  Server response: none
** Near: s: read https://webservices.rki.dk

Yes, I get this result:

>> s: read https://webservices.rki.dk
URL Parse: none none webservices.rki.dk none none none
Net-log: ["Opening" "ssl" "for" "HTTPS"]
connecting to: webservices.rki.dk
Net-log: {GET / HTTP/1.0
Accept: */*
Connection: close
User-Agent: REBOL Command 2.5.6.3.1
Host: webservices.rki.dk:443
}
Net-log: "HTTP/1.1 200 OK"
Net-log: ["low level read of " 2048 "bytes"]
Net-log: ["low level read of " 2048 "bytes"]
Net-log: ["low level read of " 2048 "bytes"]
== {
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
  <HEAD>
    <title>RKI Webservices</title>
    <meta na...

curl is a command line tool for transferring files with URL syntax, 
supporting FTP, FTPS, HTTP, HTTPS, GOPHER, TELNET, DICT, FILE and 
LDAP. Curl supports HTTPS certificates, HTTP POST, HTTP PUT, FTP 
uploading, HTTP form based upload, proxies, cookies, user+password 
authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file 
transfer resume, proxy tunneling and a busload of other useful tricks.

I also tried reading a https page using command and squid, and couldn't 
get it to work.

I started it Tuesday 11:26 with a problem regarding HTTPS over a 
proxy.

I've solved the problem with HTTPS thru a proxy. The problem is, 
that the commands to the proxy is sent with only a newline in the 
end of each line. If I replace the newlines with carriage-return 
newline ("^M^/"), it works. Within the SDK, the problem is in the 
file "source/prot-http.r".

Geomol, that is a known bug in ssl, see RAMBO #3532, it is interesting 
to know that it affects HTTPS with proxy

Does anyone know away to automate the checking of a website that 
requires https, authentication and probably cookies. I basically 
want an application to log into my ebank account and extract some 
information.

Does anyone have experience with NetApp NetCache proxies? http://www.netapp.com/products/netcache/

My REBOL solution calling services over HTTPS works ok with the Squid 
proxy, but not with NetCache. Any ideas?

hmm, it works from encmdface.exe, but not from encmd.exe - that is 
strange, as there is no single View related function. Is encmd.exe 
missing https protocol?

Pekr, there was some problem with HTTPS in the SDK. I don't know, 
if it has been fixed in your version.

http://www.rebol.net/cgi-bin/rambo.r?sort=1&limit=1&cmd=Search&id=&pattern=HTTPS

prot-http.r does not define https but only http. you need to net-install 
https too (just copy&paste the line that installs http in prot-http.r 
and replace protocol name and port id)

Anybody know a workaround for this?

from rebcmdview.exe and/or old desktop:

REBOL []
print length? read/lines http://www.google.com	;; works
print length? read/lines http://www.rebol.com	;; works
print length? read/lines https://www.google.com	;; works
halt

11
242
11

encapsulate (encmdface.exe) above and run the exe:

11
242
** Access Error: Invalid port spec: https://www.google.com
** Near: print length? read/lines https://www.google.com
halt
** Press enter to quit...

happens on any https page

Yes, check to see if https is installed.

I don't know how it's with https, I don't have /command

I don't know how it would have HTTPS server support, even with /Command. 
I thought /Command only has SSL client support.

well, command can read https pages...?

So, without server side SSL, Cheyenne can't do https .. unless it's 
thru stunnel.

About server-side SSL : after several beers last year in Paris, Carl 
told me that the ssl:// scheme could be turn to work as server-side 
with just the right flag set (IIRC, was about setting the right "direction" 
in encryption), then you "just" have to implement server-side HTTPS 
protocol to support it fully. I've since that, tryed several times 
to get the info about the "magic flag" from Carl, without success. 
So I've prepared several dozens bottles of beer to be sure to get 
the info from him at the next DevCon ;-).

Just dunno, if security (https) can be done that way, support for 
certificates etc., it is belongs to kernel ...

does this include https ?

I would love to see a community driven project for creating full 
SSH, HTTPS, SFTP access for R3. Carl doesn't need to supervise that.

Is SSL/https going to be supported in R3 core? I don't think the 
old "only available in pro version" will stand up any more, it is 
 essential for most web api's now.

I've got so many things I'd like to try R3 on (even in alpha state), 
unfortunately all require https

As for me, current situation means just one thing. As a customer/developer, 
looking at feature sheet for R3, searching for the SSL and HTTPS, 
all I can see is big NO.

the feature is so fundamental, like Unicode is. That is why it should 
be delivered by default, with no excuses. There is no web without 
https nowadays ...

If we did not get single networking protocol in 3 years, no single 
fix to http protocol (and we are talking mezzanine level here), WHEN 
do you expect, that feature like SSL/TLS, https could appear for 
R3? That is my only worry here. I am not agains the delivery by some 
"third party", I am just worried judging by recent experience ...

Pekr as for HTTPS protocol I agree with the other people here. Lets 
some external developer do the work once the basis is complete.

btw - some time ago someone stated here, that current https scheme 
is done "old school". Was that you? Isn't now the right time to define 
the better way (if any) to aproach schemes and networking? :-)

3) Integration - the toughest part - first - old plug-in way of integration 
was not optimal. REBOL's code  of 'get-net-info is outdated and broken. 
First thing is to get proxy info automatically, if possible, but 
still allow it to be settable. Most corporate users do use proxy, 
without it, plug-in in non-existant product for corporate environment 
imo. Why to allow manual settings? Well, dunno how many companies 
do use it, but our company does :-( ..... "use script for proxy configuration" 
- and the script is JS code, which browser can interpret, but not 
rebol itself, so we need ability to set it manually


... or - second point and probably the main point from the architecture 
pov - do we allow what rebol allows? Do we allow our own networking, 
or will we allow only to tunnel via browser? One one hand, we would 
get https, on the other hand, if we limit it, we are not talking 
about rebol anymore, but sligthly different rebol based product. 
As for me, I am not able to see all the security related concerns, 
so I let it to others here ...

that is questionable, Volker. The thing is - if you "limit" (or extend 
- https) Rebol's functionality to that of browser - do we talk rebol 
hjere anymore?

Is the plugin served from an HTTPS site? It would be nice to avoid 
man-in-the-middle attacks. I'm always a little wary of putting non-SSL 
sites on the trusted sites list.


For that matter, when you have one site serving the html and script, 
and another serving the plugin, which site needs to be trusted, as 
far as the major browsers are concerned? I would think just the plugin 
serving site, but I don't quite remember right now...

imo not ... proxy is not about security imo. Https requires ssl inbuilt, 
and it is only in Command imo. But if you mean that security should 
not be luxury and it should be provided by default in all rebol versions, 
then I am with you :-)

If we have access to the win32 http api, we should get https as well...

I agree, if you can't use plugin under HTTPS, then it's largely useless 
in secure environments.

win32 api https
 http://blogs.msdn.com/ie/archive/2005/10/31/487509.aspx

WinInet.dll offers a Win32 API for http, https, and ftp downloads 
combined with other API for caching and parsing.  It\u2019s a very 
popular binary, and in addition to being part of the IE platform, 
is widely used in Windows client applications for its Networking 
services.

These proposed refinements would use WinInet, and consequently, support 
HTTPS.

Is this what you have to do SSL enable/wrap Cheynne ? http://www.stunnel.org/examples/https_windows.html

I just intalled the windows version, it works very well. I just had 
to edit the stunnel.conf file to uncomment the HTTPS config options.

yes... must agree with Doc. It's very easy, just download the latest 
precompiled version (I have 4.20) install, uncomment the https as 
doc said and than do:
      stunnel.exe -install
to install it as service.. and:
      stunnel.exe -start
to start it.

What I would like to know, is if I can use it to get https urls from 
Rebol, not just to encrypt my server?

Is this what you did ?  http://www.stunnel.org/examples/https_windows.html

Then Start => Programs => STunnel => Edit stunnel.conf : uncomment 
the [https] section, then save it.

i missed the comment  in front of ;https[] in config

I've converted my site to https as well using the above howto .. 
only took 2 mins.  As you say, I have to generate a new certificate.

https://www.compkarori.co.nz/

How you detect that the page request is http and not https so that 
you can redirect the request?

so you simulate https via stunnel? Does it work? I thought that Stunnel 
is mainly to create VPNs, so that you need stunnel on both sides?

stunnel basic usage is to add SSL functionnality as wrapper to non-SSL 
daemons. So it gives you HTTPS for free ;-)

So it seems that the issue is either with the HTTPS protocol in REBOL 
or with stunnel.

I don't have a https server I can test ...

So, I guess this means it's a Rebol https problem :(

http continues okay.
https fails at 15360 bytes

And also to deal with authentication.  Basic authentication will 
be used for each api call .. and the whole site will be behind https.

Is HTTPS supported? If not, can I make use of lighttpd HTTPS support 
with this revers-proxy setup?

Q does cheyenne support serving  https ?

I use Cheyenne behind https.

Re HTTPS: there's a ticket opened in RAMBO since October 2006 from 
Maarten asking for that : http://www.rebol.net/cgi-bin/rambo.r?id=4170&
. If Carl could fix it for 2.7.7, that would be a great new feature.

I use Cheyenne as a reverse proxy. I think in this setup the HTTPS 
things is handled by the primary web-server, communication to the 
revers proxy is non encrypted and hence this setup should make it 
possible to use Cheyenne's RSP with HTTPS. Not elegant but it should 
do the job.

so most people put their time on tackling the real problems like 
sql injection and https use properly

and use https properly.

Do vhosts work with stunnel ?  ie. I can redirect incomming https 
to different vhosts?

This is the STunnel example doc for https .. the webmaster at the 
top doesn't recommend it that much ... http://www.stunnel.org/examples/https_windows.html


This shows nginx with separate  ssl usage and also using it as reverse 
proxy (with load balancing also)  http://www.linuxjournal.com/article/10108

I was thinking of giving users a choice to use or not use http or 
https .. so I would leave both open (if that doesn't mean something 
bad which I don't know)

I got it working with that sample pem .. the stupid mistake is that 
if you uncomment it like this 
; [https]
accept  = 443
connect = 80
TIMEOUTclose = 0

instead of like this 

[https]
accept  = 443
connect = 80
TIMEOUTclose = 0


you get some strange errors ... now I need to make those bought certs 
work somehow 

( I WILL WRITE A TUTORIAL ABOUT THIS .. how to setup cheyenne with 
stunnel)

For example, you can program Chrome to hold the contents of HTTPS 
between sessions, which FF does not do.

Sure, you can change settings, but giving people a single "thing" 
that does it correctly works for me.