6 Replies Latest reply on Sep 19, 2012 5:31 AM by iosif1976

    Socket Policy Files over SSL


      Would like to know if anyone has suggestions as to how to implement a Socket Policy File Server over a SSL socket?


      A little background, our customers cannot open up multiple ports on the system. Opening up port 843 is not an option. There is one and only one port available for connections, and it is a secure socket (SSL). From all the documentation and discussions I've read the request for a policy file is sent in clear text and there's no option for this to be sent via SSL.(our hope is that we've missed something and there is such an option). SSL will reject the policy file request on this port, it's waiting for an SSL Hello message.


      The only solution we've come up with is to use peek() before accepting any incoming request, and compare incoming data stream to the policy file request, and if there's a match handle the request by responding with a policy file. This response is in clear text. Our issue with this type of solution (aside from the perils of peek()) is that we've told our customers there will be secure traffic out the port, but now we are sending clear text out this port.


      Note for Adobe architects: Was (or is) there any thought in wrapping the policy file request in a simple http request? That way we wouldn't have to hack into our web server to detect this request and handle it appropriately. In addition to the SSL dilemma mentioned above.

        • 1. Re: Socket Policy Files over SSL

          Curious if you've ever found an answer to this as we're finding something similar....?

          • 2. Re: Socket Policy Files over SSL
            lapomardo Level 1

            Unfortunately,no.  For the time being we are using the peek() option mentioned in the original post where we've 'special cased' our webserver.


            We are disappointed in the lack of response from Adobe.  So much so that we're looking into flex alternatives in our next release.

            • 3. Re: Socket Policy Files over SSL
              grimmwerks Level 1

              We're having a similar issue - we have the socket policy serving at 843 -- however we can't guarantee 843 will be open.  We're connecting to 443 using the stomp protocol - I'm even telling the backend people here that flash will send a request on 443 and could we respond there - they say it can't be done.


              And obviously the port 80 or security loadpolicyfile doesn't allow the socket connections without the 843 policy service.. .so we're stuck trying to find a way around this...and those in charge don't believe my answers as gospel.

              • 4. Re: Socket Policy Files over SSL
                grimmwerks Level 1

                Have you looked at this?  Wondering if a socket policy can be served via some other 'standard' port -- telnet?


                Access to socket and XML socket connections is disabled by default, even if the socket you are connecting to is in the same domain as the SWF file. You can permit socket-level access by serving a socket policy file from any of the following locations:

                • Port 843 (the location of the master policy file)

                • The same port as the main socket connection

                • A different port than the main socket connection





                • 5. Re: Socket Policy Files over SSL
                  grimmwerks Level 1

                  Sorry - last response.


                  The only other thing I can see is having two servers:






                  server1.url.com serves the actual files.


                  server2.url.com is the sockets.  Don't have a webserver running on server2, use the common ports for socket communications and serving the policy file.

                  • 6. Re: Socket Policy Files over SSL

                    Has anoybody found a solution on the matter?