4

I've been struggling recently with using the standalone DartVM and SSL as a client. I'm of the understanding that Dart uses Mozilla NSS to manage the certificates. What I'm having a problem wit, is that on Windows, for example, there exists no binaries that I can find (other than third parties compiling the Mozilla source and uploading to mega or similar, which is pretty alarming if you ask me) released for the Windows platform. Compiling this C++ code is not a trivial task. I've not the resources to do so on my own under the Windows platform. This is why I write Dart (or other high level languages) in the first place.

Despite that, the error message I get when attempting to connect securely and being presented with a self-signed (or rather more technically correct, untrusted authority) certificate, is that the OS itself doesn't trust the certificate. On Windows, this is not the case. The certificate in question I'm using is a CA root certificate of my generating, with proper authority/signing chain, installed into Windows trusted roots manually. Both Chrome and Internet Explorer (of which use the Windows underlying certificate store) trust my certificate(s) without any warnings after having done this. So if the DartVM is not using the "OS" to validate a certificate upon handshake, then that message is very uninformative/misleading.

What can be done to overcome this outside of compiling NSS and trying to figure out just how to import my certificates by way of over-complicated and under-documented steps? Is there not a parameter that one could specify when initiating a secure connection to ignore SSL errors of this nature?

My web server forces the use of HTTPS so dropping back to plain HTTP would not be an option for me. I also don't want to trust and much less want to pay a third party for my certificates of which are pretty much only used internally, which is why I generated a wildcard certificate under my own root CA in the first place. Paying for a wildcard certificate, for multiple domains, that aren't always necessarily exposed to the public or meant for public use is a bit astronomically priced and completely out of the question.

Hydra
  • 275
  • 1
  • 2
  • 10
  • I haven't coped with this yet and don't know much about it. It is also not clear what is actually your problem (beside that this is all more complicated than it should be). There are already a few similar questions answered on SO. Maybe http://stackoverflow.com/questions/20870300, http://jamesslocum.com/post/70003236123, http://stackoverflow.com/questions/16524659, http://stackoverflow.com/questions/25388750 provide information that bring you a step forward. – Günter Zöchbauer Sep 05 '14 at 20:54
  • 2
    I looked through most of these already, the problem is most of these are either in-browser, standalone as a server, or a standalone client attempting to utilize a client certificate. It does look like one of those is the same issue as I am encountering (standalone VM as a client), but their suggestion was to submit a bug report to the lib (this was may 2013, with the same library I am using from pub: http/http.dart" Essentially what it looks like I have to do, is modify that package itself or write my own library to utilize the lower-level socket class and hook the onBadCertificate callback. – Hydra Sep 05 '14 at 21:14
  • I also have/had trouble with SSL certificates working behind HTTPS proxy on Windows at my work. I did file a [bug](https://code.google.com/p/dart/issues/detail?id=20270) and yes error logs were misleading, even dart team-members were confused. It seems the certificate handling is good for linux only. It wasn't solved and I had to drop working on it. – user568109 Sep 08 '14 at 06:45
  • There is currently no way around it. The solution to this would take time, if reimplementing certificate store. You can try switching to linux, for now. – user568109 Sep 08 '14 at 07:00

0 Answers0