16

so I have been having trouble with grabbing information from a device that is interfaced with via https due to the fact that it has an invalid security certificate. I know the device is to be trusted and I don't have access to the server-side so I can't change it. I was wondering if there was any way to set up an XMLHttpRequest object in Javascript to just ignore an invalid SSL certificate and just grab the information anyway. As it is now it seems to just reject the certificate and stop. Thanks.

user535617
  • 634
  • 2
  • 7
  • 22
  • 1
    If anyone found this question when trying to solve the same problem in node (as opposed to in the browser), jump over here for solutions: http://stackoverflow.com/questions/10888610/ignore-invalid-self-signed-ssl-certificate-in-node-js-with-https-request –  May 22 '16 at 17:35
  • Virtual upvote from me. Darn it - I accidentally double-clicked the upvote and now I can't vote again. – Chris Parker Dec 19 '22 at 22:27

3 Answers3

7

Well I had found this solution before but it didn't work, this was because I was still using actual XMLHttpRequest though. When creating it using this statement: 

httpreq = new ActiveXObject("Msxml2.ServerXMLHTTP.3.0");

There is a method called setOption that is opened up for use:

httpreq.setOption(2, 13056);

With those parameters, the request now ignores the invalid certificate and grabs the information anyway. If I understand correctly this won't work with any non-Microsoft technology trying to run the script, but that's ok for the scope of my project.

user535617
  • 634
  • 2
  • 7
  • 22
4

No, there isn't. XMLHTTPRequest doesn't allow you to override that. Being able to override SSL security might make sense in your case, but if you think about it, it would be a bad idea in general. You'd never want to allow arbitrary javascript code on the internet to connect to a supposedly secure service that the js host (the browser) knows has a possible MITM issue.

ConsultUtah
  • 6,639
  • 3
  • 32
  • 51
  • Yes I do know it doesn't make sense in a general case but for the most part there's usually something for the specific case. I actually think I'm onto something at the moment. – user535617 Dec 20 '10 at 15:11
  • This justification is pretty strange. If it was about security, then XMLHTTPRequest would have supported specifying custom Certificate Authorities for proper security. Instead they support insecure HTTP which does not use any certificates and is prone to MITM attacks. – Ark-kun Aug 02 '21 at 01:46
4

I know the device is to be trusted

Yes but you don't know whether you are really connected to the device.

That is the purpose of the certificate. That's why it has to be valid.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • 1
    @user535617 no, you only think that you are connected directly, directly being the key word. There might be a man in the middle who is simply forwarding all the requests between you and the end node while gathering all of the information. This would be completely transparent to you. I.e. you could not even know that it is there. – chacham15 Nov 10 '12 at 10:26