Skip to main content

https setup?

5 replies [Last post]
mozste
Offline
Joined: 2008-07-11
Points: 0

hi all,

I have a question about usage of https protocol from xlets.

Very basic question, in fact: has anyone successfully done it? Is there anything that needs to be configured prior to open the connection to an https URL?

I'm asking because i tried to open some https urls from an xlet (without configuring anything different from standard http); here are my findings:

PC players: they correctly refuse pages with invalid certificates (javax.net.ssl.SSLHandshakeException), and accept the valid ones.

HW players: they accept everything!!

Any hints?

Thanks,
mozste

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
mozste
Offline
Joined: 2008-07-11
Points: 0

Hi Joe/all,

I'm still back at this topic: as a matter of fact i haven't been able to make https work in BDJ, even after reading MHP documentation.

I'm trying to do something very basic, like accessing the URL https://hdcookbook.dev.java.net/index.html, which is certified by Equifax.

From what i understood from the mhp doc, I would need to put the CA certificate in the base directory of my application as file dvb.tls...equifax

That would be enough for the application to accept the connection and reject all other https urls that have different root certificates, right?

But there must be something wrong in how I put the certificate file into the application: what I do is exporting the certificate through the standard windows certificate export tool, exporting as X.509 coded binary (*.DER), then rename that file (dvb.tls....) and bundle it in my JAR.

But still, HW players accept all connections, exactly as that certificate file was never there.

I must be missing some key point. Can anybody help?
A link at a MHP application that does what I'm trying to achieve would be great too (I couldn't find anything on the web).

Thanks,
mozste

Joe Rice

Hi Mozste,

Have you modified the certificate with a hex editor to conform to the format specified by MHP?

See MHP 12.4.3.2.1 for the format - you essentially need to add the certificate_count and certificate_length data.

Sounds like you've got the name bit as specified in 12.10.3.2.1.1 - an example might be: dvb.tls.7fffabcd.6543.BDLive.com

Cheers,
Joe

On Jul 6, 2010, at 1:51 AM, bd-j-dev@mobileandembedded.org wrote:

> Hi Joe/all,
>
> I'm still back at this topic: as a matter of fact i haven't been able to make https work in BDJ, even after reading MHP documentation.
>
> I'm trying to do something very basic, like accessing the URL https://hdcookbook.dev.java.net/index.html, which is certified by Equifax.
>
> From what i understood from the mhp doc, I would need to put the CA certificate in the base directory of my application as file dvb.tls...equifax
>
> That would be enough for the application to accept the connection and reject all other https urls that have different root certificates, right?
>
> But there must be something wrong in how I put the certificate file into the application: what I do is exporting the certificate through the standard windows certificate export tool, exporting as X.509 coded binary (*.DER), then rename that file (dvb.tls....) and bundle it in my JAR.
>
> But still, HW players accept all connections, exactly as that certificate file was never there.
>
> I must be missing some key point. Can anybody help?
> A link at a MHP application that does what I'm trying to achieve would be great too (I couldn't find anything on the web).
>
>
> Thanks,
> mozste
> [Message sent by forum member 'mozste']
>
> http://forums.java.net/jive/thread.jspa?messageID=476843
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: bd-j-dev-unsubscribe@hdcookbook.dev.java.net
> For additional commands, e-mail: bd-j-dev-help@hdcookbook.dev.java.net
>

---------------------------------------------------------------------
To unsubscribe, e-mail: bd-j-dev-unsubscribe@hdcookbook.dev.java.net
For additional commands, e-mail: bd-j-dev-help@hdcookbook.dev.java.net

mozste
Offline
Joined: 2008-07-11
Points: 0

Thanks Joe! That was the trick.

For future reference (even for myself) I'll recap what needs to be done in order to have https working on BD:

1. take the CA certificate of the https resource you want to access:

for instance, if you want to access https://hdcookbook.dev.java.net/index.html, open it with a browser (firefox), go to the authentication info page -> view certificate -> details -> select the root (Equifax secure CA) -> export -> save DER file.

2. manually add header as specified in MHP 12.4.3.2.1

in my example i add 5 bytes to the file: 00 01 00 03 24: '0001' is the number of certificates (1) and '000324' is the number 804 (original DER file size).

3. put the certificate in the JAR accessing the resource, in base directory path and with name dvb.tls...1, where and are to be replaced with your real values.

4. remember that also the certificate file must be signed along with the application.

5. now all the https connections referring the installed CA will work, while all the others will fail with a javax.net.ssl.SSLHandshakeException.

InputStream is = new URL("https://hdcookbook.dev.java.net/index.html").openConnection().getInputStream(); // this works

InputStream is = new URL("https://www.paypal.com/en_US/i/logo/paypal_logo.gif").openConnection().getInputStream(); // this breaks, since paypal is authenticaed by verisign

Joe Rice

The hardware player behavior sounds right - by default, no certificate checking is done unless a certificate is embedded in the JAR in the MHP-defined format. See MHP 12.10.3 for more details.

Cheers,
Joe

On Jan 26, 2010, at 6:36 AM, bd-j-dev@mobileandembedded.org wrote:

> hi all,
>
> I have a question about usage of https protocol from xlets.
>
> Very basic question, in fact: has anyone successfully done it? Is there anything that needs to be configured prior to open the connection to an https URL?
>
> I'm asking because i tried to open some https urls from an xlet (without configuring anything different from standard http); here are my findings:
>
> PC players: they correctly refuse pages with invalid certificates (javax.net.ssl.SSLHandshakeException), and accept the valid ones.
>
> HW players: they accept everything!!
>
>
> Any hints?
>
> Thanks,
> mozste
> [Message sent by forum member 'mozste' (stefano.padovan@mymozaik.com)]
>
> http://forums.java.net/jive/thread.jspa?messageID=383028

---------------------------------------------------------------------
To unsubscribe, e-mail: bd-j-dev-unsubscribe@hdcookbook.dev.java.net
For additional commands, e-mail: bd-j-dev-help@hdcookbook.dev.java.net

mozste
Offline
Joined: 2008-07-11
Points: 0

Wow,

I totally missed that part.

Thanks a lot Joe!