SSL Validation for DOD Websites in Google Apps Script - google-apps-script

We've recently bounced up against a bug seemingly caused by a change made to the way Google is handling SSL trust in Google Apps Script on the Google Apps for Gov service. We have a few Apps Script systems - two in particular are a server monitoring system and a webservice-based calendar synchronization tool - which communicate with servers at our end over an SSL connection. This has worked fine for months, until ~9:15 PM on 20 Sept 2012, when almost all of these (and similar) connections began to fail due to an inability to trust the DOD-signed certificates which are mandatory for us on our end of things.
Stranger still is that this is somewhat inconsistent -- that is, I can successfully ask Google to connect to https://usuportal.usuhs.mil and it loads just fine. However, if I try any of:
https://www.us.army.mil
https://www.nps.edu
https://www.disa.mil
https://learning.usuhs.edu
... they all fail. I suspect that this is to do with the root cert which some servers tie themselves back to, suffice that all tying back to the "DOD Root CA-2" certificate as a terminator are failing - a real problem for us.
For our server monitoring we've been able to temporarily work around this by disabling SSL verification in Apps Script, but that option isn't available for accessing webservices [EDIT: we are using SoapService to handle WS requests and returns], leaving us unable to continue to use those tools for as long as this problem is in place. Given the precision with which we can identify when the relevant change happened, though, I should hope Google can at least (relatively) quickly pinpoint what happened.
If it's helpful, below is a quick Google Apps Script function which will log out success / failure based on whether it's able to trust the SSL certificate at the endpoint.
function checkSSL()
{
// The server to go look at to see if we can trust it.
// Again, usuportal.usuhs.mil has been observed to work; all others tested have failed
//
var serverToTest = "https://www.disa.mil";
// options defines the options which will be used by the UrlFetchApp to define its behavior.
// In this case, we may be interested in disabling SSL validation.
//
var options =
{
"validateHttpsCertificates" : false
};
// First, try without disabling validation
//
try {
response = UrlFetchApp.fetch(serverToTest);
Logger.log("I was able to reach " + serverToTest +" without disabling certificate validation.");
}
catch (e)
{
// Logger.log(e.toString());
Logger.log("I was not able to reach " + serverToTest +" without disabling certificate validation.");
}
// Now let's try it with validation disabled
//
try {
response = UrlFetchApp.fetch(serverToTest, options);
Logger.log("I was able to reach " + serverToTest +" with certificate validation disabled.");
}
catch (e)
{
// Logger.log(e.toString());
Logger.log("I was not able to reach " + serverToTest +" with certificate validation disabled. Maybe it's really just down?");
}
}

Please log this in the Issue Tracker. I've been able to dive into this internally and this is in fact and issue we believe. Once you log it in the Issue Tracker you'll be able to follow along the progress of this issue.
We'll likely solve this by adding in a similar "validateHttpsCertificates" flag for SoapSerivce like with UrlFetchApp

Related

Tessera Cross Origin Issues while calling the rest API ( /storeraw )

I am using tessera for execute private transaction's in Quorum. When invoking the third party (privateURL) API from the postman, I am getting the expected output but when calling the same API's from the other server I am getting an empty response with 200 status code( http://:9081/storeraw). This issue is happening due to the CORS. I've checked with:
File:///< HTML_PATH >
and it's working.
How to enable CORS for tessera third party API's?
Currently, this feature is not implemented in tessera. I'm working already I'll get back to you once it's done. For enabling CORS follow steps below.
Clone repository from git.
open the file /jaxrs-service/src/main/java/com/quorum/tessera/thridparty/RawTransactionResource.java
Replace
return Response.status(Status.OK)
.type(APPLICATION_JSON)
.entity(response)
.build();
with
return Response.status(Status.OK)
.type(APPLICATION_JSON)
.header("Access-Control-Allow-Origin", "*")
.entity(response)
.build();
Recompile the code
Start tessera.
Note: This will allow all origins, please modify the code as per your security needs. This is not a standard, I am working on config changes that will allow you to have the freedom to enable CORS with corresponding changes.

How to detect SSL errors using chrome extension? [duplicate]

I'm doing simple GET request to my URL and I get the error "ERR_INSECURE_RESPONSE". THis is fine, as certificate is self-signed. But I have two questions regarding it:
Is there a way to overcome this in extension? Like setting a flag in request or sth like that? (probably not likely)
Is there a way just to handle this error (to notify user)? I've checked all XMLHttpRequest fields and cannot see anything that can indicate this error. Status field has value of 0 (zero).
Any ideas?
No, the extension API does not offer any method to modify SSL settings or behavior.
You could use the chrome.webRequest.onErrorOccurred event to get notified of network errors. The error property will contain the network error code.
For example:
chrome.webRequest.onErrorOccurred.addListener(function(details) {
if (details.error == 'net::ERR_INSECURE_RESPONSE') {
console.log('Insecure request detected', details);
}
}, {
urls: ['*://*/*'],
types: ['xmlhttprequest']
});
var x = new XMLHttpRequest;
x.open('get','https://example.com');
x.send();
If for testing only, just start Chrome with the --ignore-certificate-errors flag to allow self-signed certificates to be used. This affects all websites in the same browsing session, so I suggest to use a separate profile directory for this purpose, by appending --user-data-dir=/tmp/temporaryprofiledirectory to the command line arguments.
Another way to avoid the error in the first place is to get a valid SSL certificate. For non-commericial purposes, you can get a free SSL certificate at https://www.startssl.com.

VimeoUpload not re-authenticating After Deletion of App Access on Vimeo.com

I was able to connect and upload videos using the library but when I deleted the app connection on Vimeo.com (as a test) the app didn't authorize again.
the upload looks like it's working but nothing is uploaded as the app is no longer connected.
I deleted the app on the phone and restarted but it still won't re-authorize the app.
This comes up in the output:
Vimeo upload state : Executing
Vimeo upload state : Finished
Invalid http status code for download task.
And this is in OldVimeoUpload.swift: ( didn't include the actual access code!)
import Foundation
class OldVimeoUpload: VimeoUpload
{
static var VIMEO_ACCESS_TOKEN :String! // = "there's a string of numbers here"
static let sharedInstance = OldVimeoUpload(backgroundSessionIdentifier: "") { () -> String? in
return VIMEO_ACCESS_TOKEN // See README for details on how to obtain and OAuth token
}
// MARK: - Initialization
override init(backgroundSessionIdentifier: String, authTokenBlock: AuthTokenBlock)
{
super.init(backgroundSessionIdentifier: backgroundSessionIdentifier, authTokenBlock: authTokenBlock)
}
}
It looks like the access token number is commented out. I deleted the 2 forward slashes to see if that would fix it but it didn't.
I spoke too soon.
It sounds like you went to developer.vimeo.com and created an auth token. Used it to upload videos. And then went back to developer.vimeo.com and deleted the auth token.
The app / VimeoUpload will not automatically re-authenticated in this situation. You've killed the token and the app cannot request a new one for you. You'll need to create a new auth token and plug it into the app.
If this is not accurate and you're describing a different issue let us know.
If you inspect the error that's thrown from the failing request I'm guessing you'll see it's a 401 unauthorized related to using an invalid token.
Edit:
Disconnecting your app (as described in your comment below) has the same effect as deleting your auth token from developer.vimeo.com.
Also, VimeoUpload accepts a hardcoded auth token (as you see from the README and your code sample). It will not automatically re-authenticate, probably ever.
If you'd like to handle authentication in your app check out VimeoNetworking or VIMNetworking. Either of those libraries can be used to create a variety of authentication flows / scenarios. Still, if a logged in user disconnects or deletes their token, you will need them to deliberately re-authenticate (i.e. you will need to build that flow yourself). In that case, the user has explicitly stated that they don't want the app to be able to access information on their behalf. It would go against our security contract with them to automatically re-authenticate somehow.
Does that make sense?

Chrome navigator.geolocation.getCurrentPosition() error 403

For some reason suddenly when calling navigator.geolocation.getCurrentPosition() I get this error:
Network location provider at 'https://www.googleapis.com/' : Returned error code 403.
It used to work perfectly yesterday! Could there be anything with their servers??
It appears it is back up now. But before I realized it was working, I used another way to get location data as recommended by another user on reddit.com
var latLong;
$.getJSON("http://ipinfo.io", function(ipinfo){
console.log("Found location ["+ipinfo.loc+"] by ipinfo.io");
latLong = ipinfo.loc.split(",");
});
Source: https://www.reddit.com/r/webdev/comments/3j8ipj/anyone_else_had_issues_with_the_html5_geolocation/
This happens for me too on idoco.github.io/map-chat
I suspect that this is related the the changes google planed for Deprecating Powerful Features on Insecure Origins it seems that some changes were done in the last few days in this chromium Issue 520765: Deprecation and removal of powerful features on insecure origins
Can you test your site over https to confirm that?
In the meanwhile I found this api usage as a workaround on this repo:
$.getJSON("http://ipinfo.io", function(doc){
var latlong = doc.loc.split(",")
setUserLocation(parseFloat(latlong[0]), parseFloat(latlong[1]));
getLocation(parseFloat(latlong[0]), parseFloat(latlong[1])).then(function(res){
userLocationName = res
})
initialiseEventBus();
map.panTo(userLocation);
}, function(err) {
setUserLocation(Math.random()*50, Math.random()*60);
userLocationName = "unknown.na"
initialiseEventBus();
map.panTo(userLocation);
})
I had the same issue, you have to check your developer dashboard and make sure that your API key has no usage restrictions or warnings.

How to handle ERR_INSECURE_RESPONSE in Google Chrome extension

I'm doing simple GET request to my URL and I get the error "ERR_INSECURE_RESPONSE". THis is fine, as certificate is self-signed. But I have two questions regarding it:
Is there a way to overcome this in extension? Like setting a flag in request or sth like that? (probably not likely)
Is there a way just to handle this error (to notify user)? I've checked all XMLHttpRequest fields and cannot see anything that can indicate this error. Status field has value of 0 (zero).
Any ideas?
No, the extension API does not offer any method to modify SSL settings or behavior.
You could use the chrome.webRequest.onErrorOccurred event to get notified of network errors. The error property will contain the network error code.
For example:
chrome.webRequest.onErrorOccurred.addListener(function(details) {
if (details.error == 'net::ERR_INSECURE_RESPONSE') {
console.log('Insecure request detected', details);
}
}, {
urls: ['*://*/*'],
types: ['xmlhttprequest']
});
var x = new XMLHttpRequest;
x.open('get','https://example.com');
x.send();
If for testing only, just start Chrome with the --ignore-certificate-errors flag to allow self-signed certificates to be used. This affects all websites in the same browsing session, so I suggest to use a separate profile directory for this purpose, by appending --user-data-dir=/tmp/temporaryprofiledirectory to the command line arguments.
Another way to avoid the error in the first place is to get a valid SSL certificate. For non-commericial purposes, you can get a free SSL certificate at https://www.startssl.com.