9 Replies Latest reply on Jun 1, 2008 11:07 AM by mirkasim

    Can't connect to socket on the same server

    Henk2
      Yes I know this is really a flash player issue, but this is where all the smart people hang out

      I've got an application with an IMAP library that connects to port 993 on the same server as the swf is running. The socket connection is refused but it isn't clear why.

      Logging suggests that the policy file is loaded successfully, but when its time to connect things fail because the policy file has a incorrect syntax. Incorrect syntax? The example is from the documentation...

      The socket policy file on the server is as described by the adobe docs. Here it is:
      quote:

      <?xml version="1.0"?>
      <cross-domain-policy>
      <site-control permitted-cross-domain-policies="all"/>
      <allow-access-from domain="*" to-ports="*"/>
      </cross-domain-policy>

      It also includes a '<!DOCTYPE cross-domain-policy SYSTEM " http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">' line, but if I include this then the preview messes up.

      Yep, this opens up to the world. We'll close it down a bit once things are working.

      The policy file is loaded on startup as follows:
      quote:

      Security.loadPolicyFile("/trunk/socketpolicy.xml");


      Policy file logging is enabled and reports:
      quote:

      OK: Root-level SWF loaded: https://192.168.1.250/trunk/myapp.swf
      Warning: Ignoring <site-control> tag in policy file from https://192.168.1.250/trunk/socketpolicy.xml. This tag is only allowed in master policy files.
      Warning: Domain 192.168.1.250 does not specify a meta-policy. Applying default meta-policy 'all'. This configuration is deprecated. See http://www.adobe.com/go/strict_policy_files to fix this problem.
      OK: Policy file accepted: https://192.168.1.250/trunk/socketpolicy.xml
      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at xmlsocket://192.168.1.250:993 by requestor from https://192.168.1.250/trunk/myapp.swf
      Warning: Timeout on xmlsocket://192.168.1.250:843 (at 3 seconds) while waiting for socket policy file. This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
      Warning: [strict] Ignoring policy file with incorrect syntax: xmlsocket://192.168.1.250:993
      Error: Request for resource at xmlsocket://192.168.1.250:993 by requestor from https://192.168.1.250/trunk/myapp.swf is denied due to lack of policy file permissions.



      Adobe docs talk (rather extensively) about a policy file server (LOL, running a server to provide one file?) on port 843. This is not an option since the firewall is closed for that port and because running another server is not allowed for several good reasons. So, the policy file must be loaded through https, as is the swf.

      Does anyone know whats wrong here?

      <rant>
      This whole socket policy file stuff is a nightmare. I've read about a dozen pages on this stuff (including these 7 pages http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security.html) and still don't know how to properly serve a socket policy file. I still need to find a proper syntax declaration.
      Half the docs repeats itself on how important policy files are and try to convince you that running another server on port 843 to serve up one file is a good idea. This is a joke right? Only hardened servers should face outwards. Anything else is a security risk. The last thing I want to see is opening up more ports that now have to be hack-proof and DOS proof. And can someone explain why the startup of the application has to be delayed 3 seconds, even if you supply a policy file?
      </rant>
        • 1. Re: Can't connect to socket on the same server
          Henk2 Level 1
          Shameless bump
          • 2. Re: Can't connect to socket on the same server
            kcell Level 2
            Hi,

            Which flashplayer version (115 or 124?)are you using?

            There may be more infos neccessary in the policy file for http headers ... so maybe you can try this LINK.

            Without the ports and without http the follwing crossdomain.xml worked for me:

            <?xml version="1.0"?>
            <!DOCTYPE cross-domain-policy
            SYSTEM " http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
            <cross-domain-policy>
            <allow-http-request-headers-from domain="*" headers="SOAPAction"/>
            <allow-access-from domain="*"/>
            </cross-domain-policy>

            best regards.
            kcell
            • 3. Can't connect to socket on the same server
              Henk2 Level 1
              Thanks for the suggestion kcell. I've tried both versions 9.0.115 and 9.0.124 and both fail with the policy permission error.

              I also tried with and without your crossdomain.xml file but with the same result. It looks like this file is intended for URL policy, instead of socket policy. Recently Adobe separated the two.

              When I run with the files installed on my dev PC, it does work, which makes sense because the flash player isn't loaded from an unknown domain.

              I did get one step closer. If a crossdomain.xml in the server root exists and the socketpolicy file is loaded from the app folder then the first two warnings disappear. The logs now show:
              ----
              OK: Root-level SWF loaded: https://192.168.2.5/trunk/myapp.swf
              OK: Policy file accepted: https://192.168.2.5/crossdomain.xml
              OK: Policy file accepted: https://192.168.2.5/trunk/socketpolicy.xml
              Warning: Timeout on xmlsocket://192.168.2.5:843 (at 3 seconds) while waiting for socket policy file. This should not cause any problems, but see http://www.adobe.com/go/strict_policy_files for an explanation.
              Warning: [strict] Ignoring policy file with incorrect syntax: xmlsocket://192.168.2.5:993
              Error: Request for resource at xmlsocket://192.168.2.5:993 by requestor from https://192.168.2.5/trunk/myapp.swf is denied due to lack of policy file permissions.
              ----

              Which basically says, everything is okay, but you stay out anyway.

              PS: I found the XML schema files here: http://www.adobe.com/devnet/flashplayer/articles/fplayer9_security_02.html and the socket policy schema: http://www.adobe.com/xml/schemas/PolicyFileSocket.xsd.


              UPDATE: When serving up the policy file on port 843 using the example perl script then the socket connection seems to be accepted and the connect succeeds. After that flex hangs trying to logon to the IMAP server.
              • 4. Re: Can't connect to socket on the same server
                kcell Level 2
                I guess you have also tried to load the socket policy with the complete url like
                Security.loadPolicyFile("https://192.168.2.5:993/trunk/socketpolicy.xml");
                or?

                Wouldn´t it be so nice if some wrote a policy creator for flash (socket and crossdomain) ? The doku is pretty confusing....




                • 5. Re: Can't connect to socket on the same server
                  Henk2 Level 1
                  I haven't tried with port 993, as that is the IMAP server port.
                  I'm with you on the documentation side of things. They have tried to be elaborate but its made it more confusing. The separation between with URL and socket policy file is easily overlooked. You need a flowchart to figure out what policy file is needed.

                  I've made a little headway since yesterday. It looks like there are two problems:
                  1. Only socket policy files served over port 843 can allow other socket connections.
                  Serving the policy file over https, even with the http headers containing the "ForceType text/x-cross-domain-policy" tag for crossdomain.xml as the docs instruct, doesn't work.

                  2. Lets assume we're willing to run a server on port 843 to serve up the policy file and poke a hole in the firewall.
                  This actually works. .. almost. The IMAP connection is now accepted. The policy log shows:
                  quote:

                  OK: Request for resource at xmlsocket://192.168.2.5:993 by requestor from https://192.168.2.5/trunk/myapp.swf is permitted due to policy file at xmlsocket://192.168.2.5:843


                  Now we're hitting problem nr 2. Writing to the IMAP socket hangs indefinitely. netstat on the server shows an established connection but flash player is not putting out any data.

                  Looks like socket connections are broken in flash player 115 and up.
                  • 6. Can't connect to socket on the same server
                    Henk2 Level 1
                    Never mind about problem 2. It is a problem in the hurlant SSL crypto library. Haven't dived into it yet, but when using the regular Socket instead of the crypto TLSSocket, communication with the IMAP server works.

                    So the remaining problem is that the socket policy file has to be served through port 843. This means the policy file is correct, since it works, right? Serving this file through the trusted HTTP(S) server is possible but Flash Player rejects the socket policy.

                    With a firewall in place that is not under my control port 843 is not accessible. So now I'm stuck. If anyone can find a way out of this mess I'd really appreciate it.


                    • 7. Re: Can't connect to socket on the same server
                      kcell Level 2
                      Hi SalmonArm,

                      yes, it looks that the policy file is ok.

                      I also found this entry in the bug database (#SDK-14610 ), which describes a similar scenario (just on another port ).
                      In other bug entries, which also complain about the socket policy behaviour, its is mentioned that its not possible to use https to load a policy file ( but there was no answer why its not).

                      This "security feature" seems also to be introduced with FP 115, prior FP versions (47) connect, but also include other security holes. So you may can check if it work with 47, but this is not useful for customer installations.

                      best regards,
                      kcell


                      • 8. Can't connect to socket on the same server
                        Henk2 Level 1
                        A bit of a late reply as I was away for a few days.
                        Yes, I've seen that bug report as well. I've also followed up on it and made a feature request to allow the socket policy file to be read through http(s).
                        Unfortunately, since they closed the bug there is no way to track the request.

                        I haven't tried version 9.0.47 but I will as soon as I'm back in the office.

                        Well, at least I understand the issue now in more detail. Unfortunately trying to get adobe to reply to this issue is like talking to a brick wall. I hope they improve the socket policy loading. Until then there is no way to use sockets in my use case.

                        Thanks for the help kcell,
                        Cheers,
                        Henk
                        • 9. Re: Can't connect to socket on the same server
                          mirkasim
                          Hi, go to Flash Resources , you can find a java application that can serve policy files to resolve this problem.