Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

strange code flow for url generation #24

Open
emdete opened this issue Nov 9, 2020 · 3 comments
Open

strange code flow for url generation #24

emdete opened this issue Nov 9, 2020 · 3 comments

Comments

@emdete
Copy link

emdete commented Nov 9, 2020

In de/fhg/iais/roberta/connection/ServerCommunicator.java an URL is created from hostname & port for https. In case of failure it silently (!) retries with http.

I found the case because java 1.9 doesnt work here. It throws an exception in the ssl code (need to investigate that). But the error seen is that plaintext is used on https port.
@bjost2s
Copy link
Contributor

bjost2s commented Nov 13, 2020
edited
Loading

The reason for the http connection is the communication with local servers like raspberry pi. We do not have a better solution to distinguish between https servers and local servers. Do you have an idea?

@rbudde
Copy link
Contributor

rbudde commented Nov 13, 2020

to desxribe the situation in more detail:

  • the communicator opens a connection to a server
  • if the server is localhost, this is the case if developer debug, http is used. That is always fine for me
  • otherwise it may be the official server (supports https) or a cloned server
  • a cloned server that is setup with one of the many providers will support https (usually ...)
  • or it is a small local device (as the PI3 or 4), that in almost all cases doesn't support https. Such a device is usually setup by a teacher in a classroom for some units. Our server runs on these devices nicely

Currently we see no possibility to distinguish these use cases. We could inform the user about the case ("we got no https ... are you sure, ..."), but we believe, that this would lead to more confusion and not to more clarity.

We would greatly appreciate any ideas how to solve this problem.

@emdete
Copy link
Author

emdete commented Nov 13, 2020

The code uses url.contains("localhost") to check for a connection to localhost. This is not a valid test because a domain like xlocalhost.de could exist and would be positiv for that test.

The code falls back to http after any failure in the code before. Not even the error is logged. This is my main concern.

The proper way would be to use URL-parsing provided by java and use getHost to check if that is "127.0.0.1" or "localhost". If so switch to http, otherwise use https.

On top a way should be provided to pinpoint the protocol to a desired option (like wanting http on a server in the local network that hasn't any ssl cert) or forcing ssl on localhost because it has a valid cert.

Finally the exception should not change the protokoll, especially not to a less secure solution.

What do you think?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bjost2s @emdete @rbudde