A customer has requested a way to validate if the web server from where the TrueUpdate data files and/or updaters, installers or patches are to be downloaded has a valid SSL certificate, to make the whole update process even more secure. Assuming that somehow a server could be impersonated, using a self-signed or invalid SSL certificate, an attempt like this could be detected before any file is downloaded from this location. If wanted, an error message could be displayed, reporting an issue found with the SSL certificate, such as these examples, or the whole process could just terminate silently without alerting the end user about a problem, giving you some time to work on the issue.
![Click image for larger version Name: SCRN-2020-10-13-01.png Views: 0 Size: 3.2 KB ID: 305627]( "SCRN-2020-10-13-01.png")
The plugin can test if a common name on the certificate matches the server name, or if it is on the list of "subject alternative names list", or SANs. It should work with wildcard certificates, such as "*.domain.com".
How to use:
After installing, add the plugin to the project.
![Click image for larger version Name: SCRN-2020-10-13-05.png Views: 3 Size: 16.8 KB ID: 305624]( "SCRN-2020-10-13-05.png")
You could add a test of the SSL certificate at the start of the Client Script, log the error, and abort.
![Click image for larger version Name: SCRN-2020-10-13-01.png Views: 0 Size: 30.3 KB ID: 305626]( "SCRN-2020-10-13-01.png")
Possible error codes provided by this plugin include:
12182 - Invalid certificate.
12183 - Certificate chain broken.
12184 - Expired certificate found.
12185 - Self-signed certificate detected.
12186 - Attempt to use an untrusted root certificate.
12187 - Revoked certificate found.
12188 - Server name does not match certificate.
12189 - Could not load certificate.
12190 - OCSP check failed.
I have implemented the action HTTP.IsValidCertificate() in my existing HTTP plugin, which also allows to submit multipart forms (submit files to a remote web server) via HTTP or HTTPS, as well as resume aborted or incomplete downloads from web servers via HTTP and HTTPS.
The installer of this plugin will deploy the required files for AutoPlay Media Studio 7 and 8, Setup Factory 8 and 9, TrueUpdate and Visual Patch, and can be downloaded from here.
Ulrich
The plugin can test if a common name on the certificate matches the server name, or if it is on the list of "subject alternative names list", or SANs. It should work with wildcard certificates, such as "*.domain.com".
How to use:
After installing, add the plugin to the project.
You could add a test of the SSL certificate at the start of the Client Script, log the error, and abort.
Possible error codes provided by this plugin include:
12182 - Invalid certificate.
12183 - Certificate chain broken.
12184 - Expired certificate found.
12185 - Self-signed certificate detected.
12186 - Attempt to use an untrusted root certificate.
12187 - Revoked certificate found.
12188 - Server name does not match certificate.
12189 - Could not load certificate.
12190 - OCSP check failed.
I have implemented the action HTTP.IsValidCertificate() in my existing HTTP plugin, which also allows to submit multipart forms (submit files to a remote web server) via HTTP or HTTPS, as well as resume aborted or incomplete downloads from web servers via HTTP and HTTPS.
The installer of this plugin will deploy the required files for AutoPlay Media Studio 7 and 8, Setup Factory 8 and 9, TrueUpdate and Visual Patch, and can be downloaded from here.
Ulrich