4 Replies Latest reply on Sep 19, 2012 5:24 AM by iosif1976

    Internet Explorer + SSL Cross Domain communication + X.509 = failure

    letM3in2

      I have a flex application (AS3) which performs cross-domain communication with a second web server.  All communication occurs via SSL--both servers present valid certificates, signed by a trusted certificate authority.  The cross-domain communication to the second web server completes successfully using Firefox 3.6.x and Flash Player 10, but fails when using Internet Explorer 8 and Flash Player 10.  The application on the second web server never logs any attempted communication from the Internet Explorer client.  I have tried adding both web servers to IE's list of Trusted sites, with the lowest possible security settings, and still cannot connect to the second web server using an IE-based client.  From what I can tell, the request to the second web server is either being blocked by some IE security setting (or non-configurable policy),  or is not making it past the second web server's request for a client X.509 certificate (used for authentication).

       

       

      Strangely, the following workflow allows the application to function properly in IE:

      1. Navigate to the SWF application on webserver_1 (receive connection error to webserver_2).
      2. Using the same tab, navigate to https://<webserver_2_url>:<webserver_2_port>/ (basic web page loads)
      3. Return to the SWF application on webserver_1 and refresh the page (cross-domain communication works)

       

       

      The second web server has a crossdomain.xml file configured as shown below.  As I have previously stated, cross-domain communication works fine in Firefox:

       

      <?xml version="1.0" ?>

      <cross-domain-policy>

          <site-control permitted-cross-domain-policies="master-only" />

          <allow-access-from domain="*" to-ports="*" secure="true" />

      </cross-domain-policy>

       

       

      The flash player debugger's flashlog.txt looks like:


      Error: Failed to load policy file from https://<webserver_2_url>:<webserver_2_port>/crossdomain.xml

      *** Security Sandbox Violation ***

      Connection to https://<webserver_2_url>:<webserver_2_port>/path/to/resource halted - not permitted from https://<webserver_1_url>/filename.swf

      Error: Request for resource at   https://<webserver_2_url>:<webserver_2_port>/path/to/resource by requestor from https://<webserver_1_url>/filename.swf is denied due to lack of policy file permissions.

       

       

      The flash player debugger's policyfiles.txt looks like:

       

      OK: Root-level SWF loaded: https://<webserver_1_url>/filename.swf

      OK: Searching for <allow-access-from> in policy files to authorize data loading from resource at https://<webserver_2_url>:<webserver_2_port>/path/to/resource by requestor from https://<webserver_1_url>/filename.swf

      Error: Failed to load policy file from https://<webserver_2_url>:<webserver_2_port>/crossdomain.xml

      Error: Request for resource at https://<webserver_2_url>:<webserver_2_port>/path/to/resource by requestor from https://<webserver_1_url>/filename.swf is denied due to lack of policy file permissions.

       

       

       

      Is there something I am missing here?  Is there a known setting in IE which would prevent cross-domain communication over SSL when X.509 client certificates are required?

        • 1. Re: Internet Explorer + SSL Cross Domain communication + X.509 = failure
          letM3in2 Level 1

          OK, I got a PM about this so I'm going to post my work-around:

           

          I debugged the heck out of this, and found that IE showed similar behavior when using Silverlight, but that JavaScript requests would complete normally.  So, I modified the HTML page that loads the Flex app, adding the following JavaScript code to its <head>.  This JavaScript makes an AJAX request to the root level of the data server, which completes the SSL handshake successfully, allowing the Flex app to go along its merry way.  It should work for IE 7 & 8... if IE 6 is important to you, then you should be able to get it to work with a couple minor changes.

           


          <script type="text/javascript">

          if (window.XMLHttpRequest)

          {

              var url = "https://<server>:<port>/";


              var xmlHttp = new XMLHttpRequest();

              xmlHttp.onreadstatechange = function() {};  // set event handler callback function to an empty function

              xmlHttp.open("GET", url, true);  // prepare the AJAX request asynchonously using GET

              xmlHttp.send(null);  // send the request

          }

          </script>

          • 2. Re: Internet Explorer + SSL Cross Domain communication + X.509 = failure
            ej101

            This is great.  Thank you!

             

            One thing to note: In order to avoid an "access denied" error or alert from IE about "accessing information that is not under its control", one may need to change the IE security setting for Access data sources across domains (under Miscellaneous) to Enable.

            • 3. Re: Internet Explorer + SSL Cross Domain communication + X.509 = failure
              Vimm3

              Another option:
              Add an iFrame to your homepage with style="display:none" to avoid any JavaScript issues.  The iFrame content will still load but won't use any screen space.

              • 4. Re: Internet Explorer + SSL Cross Domain communication + X.509 = failure
                iosif1976

                How did you manage to make SSL communication?

                 

                I have a light c++ server A for serving crossdomain.xml and from the client side I have a flash (swf) that opens an XMLSocket to another server B. Everything works perfect. When I open the XMLSocket with server B first the swf communicates automatically with my server A, gets the ok from server A according to crossdomain.xml and then the client (swf) starts communicating with server B

                 

                I then converted the client code and server B so that instead of using XMLSocket they both use Socket, and again everything works perfectly as above. With my c++ server A serving the crossdomain.xml

                 

                Now I've decided to move to SSL and more secure communication. I've modified all to use SSL.

                 

                Changed the c++ server A, changed the crossdomain.xml and changed both server B and client swf to use SecureSocket. But now everything broke down.

                 

                When I try to open SecureSocket from client swf to server B I never get a message to my c++ server A in order to serve the crossdomain.xml, I don't even get any garbage which would ment I have a problem in the certificate.

                 

                Is there a full sample somewhere I could see on how to setup my client swf to use SecureSocket? I know the problem is somewhere on my client swf because I wrote a light c++ program to call the c++ server A to get the crossdomain.xml and then call my server B and everything worked perfectly.