[
https://issues.apache.org/jira/browse/FLEX-23755?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14737598#comment-14737598
]
Doug Pierce commented on FLEX-23755:
------------------------------------
Any work around for this? Would love to develop something using SecureSocket,
but as tom_h said, that's not suitable for development purposes. Have
SecureSocket support a development self-signed cert and all will be good.
> SecureSocket in AIR 2.0 is not suitable for development and/or production use
> due to the need of a valid server certificate
> ---------------------------------------------------------------------------------------------------------------------------
>
> Key: FLEX-23755
> URL: https://issues.apache.org/jira/browse/FLEX-23755
> Project: Apache Flex
> Issue Type: Bug
> Components: .Unspecified - Framework
> Affects Versions: Adobe Flex SDK 4.1 (Release)
> Environment: Affected OS(s): All OS Platforms
> Affected OS(s): All OS Platforms
> Language Found: English
> Reporter: Adobe JIRA
>
> First of all, is this the right place to report issues in prereleases of AIR
> 2.0?
> Steps to reproduce:
> 1. Try to use SecureSocket with a self-signed certificate (during
> development) or exisiting production servers which are not under the
> developers control (google talk)
> 2. Listen for IOErrorEvent.IO_ERROR on the SecureSocket
> 3. Trace the value of the "certificateStatus" property in the IOErrorEvent
>
> Actual Results:
> The "certificateStatus" property in the IOErrorEvent will always indicate a
> value of invalidity (see
> http://help.adobe.com/en_US/FlashPlatform/beta/reference/actionscript/3/flash/security/CertificateStatus.html).
> It is very common to have self-signed certificates during development. This
> restrictions of SecureSocket makes development and testing of according
> services impossible.
> In addition, a lot of services on the internet do not present valid
> certificates. For instance it is not possible to connect to Google Talk XMPP
> Servers on talk.google.com as the certificate has a diffrent CN. Of course,
> the developer won't be able to change existing certificates on third party
> servers.
>
> Expected Results:
> It should be possible to utilize SecureSocket even if the certificate is
> "invalid". I do suggest additional properties of SecureSocket:
> - to allow the use of self-signed certificates
> - specify the actual CN that is going to be presented in the certificate
> - possibly allow even more conditions to allow development interim
>
> Workaround (if any):
> - Do not use SecureSocket. The irony of this "workaround" is that things will
> be as insecure as without the availabilty of SecureSocket.
> - Use "as3crypto" (http://code.google.com/p/as3crypto/). While this solution
> is inefficient in terms of performance developers have to take care of it's
> bugs and flaws.
> Please, refine SecureSocket previous to the release of AIR 2.0. Thank you!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
