You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@flex.apache.org by Erik de Bruin <er...@ixsoftware.nl> on 2015/02/04 10:08:17 UTC
[Installer - FLEX-34251] Is SSK needed for load installer config?
(was: "Re: sdk 4.14.0 100% install failures")
Please continue discussion on this issue in this thread.
Thanks,
EdB
On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin <er...@ixsoftware.nl> wrote:
> Good find!
>
> This issue matches the following JIRA issue:
> https://issues.apache.org/jira/browse/FLEX-34251
>
> Please use that to work on this bug. I also changed the subject to
> make the reference more obvious ;-)
>
> EdB
>
>
>
> On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings <pa...@gmail.com> wrote:
>> On 2/4/2015 6:36 AM, Justin Mclean wrote:
>>>
>>> Hi,
>>>
>>>> I just tried it on windows, everything went fine without errors.
>>
>>
>> IE8 (64 bit) on windows 7 failed to connect to the
>> apache-flex-sdk-installer-config.xml URL, getting
>>
>> "There is a problem with this website's security certificate.." error. i
>> went into tools==>advanced==>security & turned on TLS 1.1 & TLS 1.2. IE8
>> could connect ok after that.
>>
>> next tried the installer again & holy crap worked ok first time.
>>
>> this is disturbing at a couple of levels.
>>
>> - i suppose IE is as good a choice as any to pick up internet options for
>> consumer apps but for devs its kind of out in left field. is this documented
>> anyplace? if not, somebody should probably spread the word.
>>
>> - the folks who accounted for the 93% windows successful installs need to
>> turn in their nerd cards for having a working IE browser ;-)
>>
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Ix Multimedia Software
>
> Jan Luykenstraat 27
> 3521 VB Utrecht
>
> T. 06-51952295
> I. www.ixsoftware.nl
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Paul Hastings <pa...@gmail.com>.
On 2/4/2015 10:30 PM, Tom Chiverton wrote:
> TLS 1.x is fast becoming mandatory for SSL connections. This page
> http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
> has a chart showing TLS support by O/S, and indicates Windows 7 should
> support it, I assume by default.
while it may support those options, they aren't turned on by default.
if you take a look at the image "Supported SSL protocols under “Advanced” tab of
IE 9 on Windows 7" from that article you'll what i saw when i "fixed" this. 1.1
& 1.2 were turned off.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Paul Hastings <pa...@gmail.com>.
On 2/5/2015 4:53 PM, Tom Chiverton wrote:
> If people's Windows settings are incompatible with modern web sites
people as in "people who don't normally use IE". chrome reaches the config file
site just fine (ditto for firefox). as justin pointed out most developers aren't
big fans of IE, so this probably isn't that rare a case.
> (against Microsoft advice) then they will encounter more and more
> problems with time.
not if they don't use IE.
> I still think we should just document it, and suggest checking the
> settings when we get failures on Windows, and as a plan B look at the
just documenting this would be a fine solution as well.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Tom Chiverton <tc...@extravision.com>.
On 04/02/15 17:38, Erik de Bruin wrote:
> Only if you think a man-in-the-middle attack that hijacks both the
> download and the MD5 request is more likely than the bad guys having
> backdoor access to the servers actually hosting those files. And given
> the fact that those servers reside in the US and that Snowden's main
> revelation wasn't about a foreign power having access to nearly every
> bit in the US, I say we don't worry too much about it;-)
If people's Windows settings are incompatible with modern web sites
(against Microsoft advice) then they will encounter more and more
problems with time.
We just happen to be seeing some fall out.
I still think we should just document it, and suggest checking the
settings when we get failures on Windows, and as a plan B look at the
AS3-native HTTPS implementation that doesn't use the underlying O/S.
I wont veto any change to HTTP though; life is too short and I'm out
numbered,
Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Erik de Bruin <er...@ixsoftware.nl>.
>>> In another thread, I think Tom C says we should be using https to
>>>deliver
>>> all of our bits, which we aren’t today. What do folks think?
>>
>>-1. We are already doing MD5 checks on downloaded artifacts. I am not
>>sure what benefit https is going to add here.
>
> It looks like we currently pull our MD5 files over https. So changing to
> pull the installer config files over http probably just means folks will
> get stuck on the MD5 fetch. Does changing the MD5 download to HTTP make
> it unsecure?
Only if you think a man-in-the-middle attack that hijacks both the
download and the MD5 request is more likely than the bad guys having
backdoor access to the servers actually hosting those files. And given
the fact that those servers reside in the US and that Snowden's main
revelation wasn't about a foreign power having access to nearly every
bit in the US, I say we don't worry too much about it ;-)
EdB
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/4/15, 9:14 AM, "OmPrakash Muppirala" <bi...@gmail.com> wrote:
>On Feb 4, 2015 9:03 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> In another thread, I think Tom C says we should be using https to
>>deliver
>> all of our bits, which we aren’t today. What do folks think?
>
>-1. We are already doing MD5 checks on downloaded artifacts. I am not
>sure what benefit https is going to add here.
It looks like we currently pull our MD5 files over https. So changing to
pull the installer config files over http probably just means folks will
get stuck on the MD5 fetch. Does changing the MD5 download to HTTP make
it unsecure?
-Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
On Feb 4, 2015 9:03 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> In another thread, I think Tom C says we should be using https to deliver
> all of our bits, which we aren’t today. What do folks think?
-1. We are already doing MD5 checks on downloaded artifacts. I am not
sure what benefit https is going to add here.
Thanks,
Om
>
> -Alex
>
> On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> >I thought the change to http was going to be in the
> >sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
> >artifact is coming from the mirrors, the Installer uses https to get MD5
> >and the apache-flex-sdk-installer-config.xml file. Should we use http to
> >get the MD5s as well? If so, that is a simple change we can test in the
> >nightly builds.
> >
> >-Alex
> >
> >On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
> >
> >>+1 here as well, especially since that would be an 'easyfix' ;-)
> >>
> >>EdB
> >>
> >>
> >>
> >>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
> >><bi...@gmail.com> wrote:
> >>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >>>>
> >>>> Another question for you guys, since I don’t have any expertise in
> >>>>this
> >>>> area, would we in fact skirt around this by hitting http for more of
> >>>>our
> >>>> downloads instead of https?
> >>>>
> >>>
> >>> +1 to hitting http by default.
> >>>
> >>> Thanks,
> >>> Om
> >>>
> >>>> -Alex
> >>>>
> >>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
> >>>>
> >>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
> >>>>made
> >>>> >> available in XP, if you turned it on.
> >>>> >
> >>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
> >>>> >
> >>>>
> >>
> >>
> >>
> >>--
> >>Ix Multimedia Software
> >>
> >>Jan Luykenstraat 27
> >>3521 VB Utrecht
> >>
> >>T. 06-51952295
> >>I. www.ixsoftware.nl
> >
>
Re: TLF additions documentation?
Posted by jude <fl...@gmail.com>.
Here's a Table Explorer, http://pastebin.com/Uzxz2ep6 I've used. The API
has changed slightly since I used it and you are likely to encounter bugs
(possibly real / possibly incorrect usage). I can send you the exported
project as well as this is missing some icons. Just email me and I'll send
it to you.
On Wed, Feb 4, 2015 at 1:09 PM, OmPrakash Muppirala <bi...@gmail.com>
wrote:
> It would be great if you or Jude can create a basic wiki page from these
> two documents.
>
> Thanks,
> Om
>
> On Wed, Feb 4, 2015 at 12:44 PM, Harbs <ha...@gmail.com> wrote:
>
> > Hi Jason,
> >
> > I’ve been a bit remiss in documenting it.
> >
> > Here’s my noted that I was keeping while working on this:
> >
> >
> https://docs.google.com/document/d/1sT0IAiMfIOBVgmo8wwF6ZZviuNFcW2bUfQoj0zDmSog/edit#
> >
> > Here’s a small app I was using while developing. It should give you an
> > idea how to use the APIs.
> > http://pastebin.com/dytnv32a
> >
> > Until we have proper docs, feel free to ask questions…
> >
> > Harbs
> >
> > On Feb 4, 2015, at 9:29 PM, Jason Taylor <ja...@dedoose.com> wrote:
> >
> > > Hey all, very excited that TLF has some support for tables, but I'm not
> > sure where to find any documentation on this feature. Can you guys help
> me
> > out there? If I understand correctly, there is also currently no
> additions
> > to the export/import of FXML supporting the table additions? Any
> pointers
> > on where I can look at in the source to add support for this as our team
> > adds this feature into Dedoose? Thanks again for all you're great work.
> > >
> > > ~ JT
> >
> >
>
Re: TLF additions documentation?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
It would be great if you or Jude can create a basic wiki page from these
two documents.
Thanks,
Om
On Wed, Feb 4, 2015 at 12:44 PM, Harbs <ha...@gmail.com> wrote:
> Hi Jason,
>
> I’ve been a bit remiss in documenting it.
>
> Here’s my noted that I was keeping while working on this:
>
> https://docs.google.com/document/d/1sT0IAiMfIOBVgmo8wwF6ZZviuNFcW2bUfQoj0zDmSog/edit#
>
> Here’s a small app I was using while developing. It should give you an
> idea how to use the APIs.
> http://pastebin.com/dytnv32a
>
> Until we have proper docs, feel free to ask questions…
>
> Harbs
>
> On Feb 4, 2015, at 9:29 PM, Jason Taylor <ja...@dedoose.com> wrote:
>
> > Hey all, very excited that TLF has some support for tables, but I'm not
> sure where to find any documentation on this feature. Can you guys help me
> out there? If I understand correctly, there is also currently no additions
> to the export/import of FXML supporting the table additions? Any pointers
> on where I can look at in the source to add support for this as our team
> adds this feature into Dedoose? Thanks again for all you're great work.
> >
> > ~ JT
>
>
Re: TLF additions documentation?
Posted by Harbs <ha...@gmail.com>.
Hi Jason,
I’ve been a bit remiss in documenting it.
Here’s my noted that I was keeping while working on this:
https://docs.google.com/document/d/1sT0IAiMfIOBVgmo8wwF6ZZviuNFcW2bUfQoj0zDmSog/edit#
Here’s a small app I was using while developing. It should give you an idea how to use the APIs.
http://pastebin.com/dytnv32a
Until we have proper docs, feel free to ask questions…
Harbs
On Feb 4, 2015, at 9:29 PM, Jason Taylor <ja...@dedoose.com> wrote:
> Hey all, very excited that TLF has some support for tables, but I'm not sure where to find any documentation on this feature. Can you guys help me out there? If I understand correctly, there is also currently no additions to the export/import of FXML supporting the table additions? Any pointers on where I can look at in the source to add support for this as our team adds this feature into Dedoose? Thanks again for all you're great work.
>
> ~ JT
TLF additions documentation?
Posted by Jason Taylor <ja...@dedoose.com>.
Hey all, very excited that TLF has some support for tables, but I'm not sure where to find any documentation on this feature. Can you guys help me out there? If I understand correctly, there is also currently no additions to the export/import of FXML supporting the table additions? Any pointers on where I can look at in the source to add support for this as our team adds this feature into Dedoose? Thanks again for all you're great work.
~ JT
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
Very weird. This time when I hit the link I ended up at
https://code.google.com/p/as3httpclient/
Which does show BSD, but last time I ended up at
https://code.google.com/p/as3httpclientlib/
Which shows MIT. I guess there is more than one version of AS3 Native
HTTP. Whoever works on it can pick one or the other as long as the
LICENSE is updated correctly.
-Alex
On 2/5/15, 7:30 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
>Weird, I see BSD instead of MIT... Maybe it shows one for the US, and
>another for the world?
>
>EdB
>
>
>
>On Thu, Feb 5, 2015 at 4:25 PM, Alex Harui <ah...@adobe.com> wrote:
>>
>>
>> On 2/5/15, 12:23 AM, "Justin Mclean" <ju...@classsoftware.com> wrote:
>>
>>>Hi,
>>>
>>>> Looks like it is MIT license so ok to use.
>>>
>>>It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1]
>>
>> Ugh. Did you find BSD somewhere? That could mean the authors didn’t
>> handle their IP carefully.
>>
>> When I go to their site [2] on the left column it clearly says “MIT
>> License” and on GitHub the License.txt file [3] looks like MIT to me.
>>Or
>> am I missing something.
>>
>> -Alex
>>
>>>
>>>Justin
>>>
>>>1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
>>
>> [2] https://code.google.com/p/as3httpclient/
>> [3] https://github.com/gabriel/as3httpclient/blob/master/License.txt
>>
>
>
>
>--
>Ix Multimedia Software
>
>Jan Luykenstraat 27
>3521 VB Utrecht
>
>T. 06-51952295
>I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Erik de Bruin <er...@ixsoftware.nl>.
Weird, I see BSD instead of MIT... Maybe it shows one for the US, and
another for the world?
EdB
On Thu, Feb 5, 2015 at 4:25 PM, Alex Harui <ah...@adobe.com> wrote:
>
>
> On 2/5/15, 12:23 AM, "Justin Mclean" <ju...@classsoftware.com> wrote:
>
>>Hi,
>>
>>> Looks like it is MIT license so ok to use.
>>
>>It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1]
>
> Ugh. Did you find BSD somewhere? That could mean the authors didn’t
> handle their IP carefully.
>
> When I go to their site [2] on the left column it clearly says “MIT
> License” and on GitHub the License.txt file [3] looks like MIT to me. Or
> am I missing something.
>
> -Alex
>
>>
>>Justin
>>
>>1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
>
> [2] https://code.google.com/p/as3httpclient/
> [3] https://github.com/gabriel/as3httpclient/blob/master/License.txt
>
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/5/15, 12:23 AM, "Justin Mclean" <ju...@classsoftware.com> wrote:
>Hi,
>
>> Looks like it is MIT license so ok to use.
>
>It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1]
Ugh. Did you find BSD somewhere? That could mean the authors didn’t
handle their IP carefully.
When I go to their site [2] on the left column it clearly says “MIT
License” and on GitHub the License.txt file [3] looks like MIT to me. Or
am I missing something.
-Alex
>
>Justin
>
>1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
[2] https://code.google.com/p/as3httpclient/
[3] https://github.com/gabriel/as3httpclient/blob/master/License.txt
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Justin Mclean <ju...@classsoftware.com>.
Hi,
> Looks like it is MIT license so ok to use.
It's BSD not MIT but that's also OK assuming you add it to LICENSE. [1]
Justin
1. http://www.apache.org/dev/licensing-howto.html#permissive-deps
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/4/15, 11:41 PM, "piotrz" <pi...@gmail.com> wrote:
>Hi Om, Alex,
>
>So can we just use this library ? Any license objections ? Or it is too
>big
>and better write our own logic ?
Looks like it is MIT license so ok to use.
-Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer
config?
Posted by piotrz <pi...@gmail.com>.
Hi Om, Alex,
So can we just use this library ? Any license objections ? Or it is too big
and better write our own logic ?
Om,
This is right link, because I see couple of links in google:
https://code.google.com/p/as3httpclient/
Piotr
-----
Apache Flex PMC
piotrzarzycki21@gmail.com
--
View this message in context: http://apache-flex-development.2333347.n4.nabble.com/Installer-FLEX-34251-Is-SSK-needed-for-load-installer-config-was-Re-sdk-4-14-0-100-install-failures-tp44913p44955.html
Sent from the Apache Flex Development mailing list archive at Nabble.com.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/4/15, 6:12 PM, "OmPrakash Muppirala" <bi...@gmail.com> wrote:
>On Feb 4, 2015 5:33 PM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> Sounds reasonable.
>>
>> The AIR downloading code via URLLoader just seems sensitive. Do we know
>> if we use AIR sockets and build our own http download protocol on top if
>> it will bypass the IE libraries underneath?
>
>Yes, it will. I use the as3httpclient in my projects and it should work
>fine and bypass any browser based settings.
Any volunteers to try this out? It would be a big deal if it made a
noticeable dent in the number of failed installs.
-Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
I'd recommend against using the client to bypass the windows settings. If
we do, the we need to expose properties like Proxy Settings, and need to
deal with locations that disallow large TCP window sizes (for example,
users on AT&T DSL have to force their TCP Window size to 1440 instead of
1500 which is the OS default). We would need to package in an ANE to read
the registry settings for these settings if we plan on doing the download
raw.
-Nick
On Wed, Feb 4, 2015 at 9:12 PM, OmPrakash Muppirala <bi...@gmail.com>
wrote:
> On Feb 4, 2015 5:33 PM, "Alex Harui" <ah...@adobe.com> wrote:
> >
> > Sounds reasonable.
> >
> > The AIR downloading code via URLLoader just seems sensitive. Do we know
> > if we use AIR sockets and build our own http download protocol on top if
> > it will bypass the IE libraries underneath?
>
> Yes, it will. I use the as3httpclient in my projects and it should work
> fine and bypass any browser based settings.
>
> Thanks,
> Om
>
> >
> > -Alex
> >
> > On 2/4/15, 11:03 AM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
> >
> > >An option we could use is to try https first. If it fails, present the
> > >user to drop down to http. This should take care of all use cases, yet
> > >still allow the user control the security level...
> > >
> > >-Nick
> > >
> > >On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui <ah...@adobe.com> wrote:
> > >
> > >> In another thread, I think Tom C says we should be using https to
> > >>deliver
> > >> all of our bits, which we aren’t today. What do folks think?
> > >>
> > >> -Alex
> > >>
> > >> On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
> > >>
> > >> >I thought the change to http was going to be in the
> > >> >sdk-installer-config-4.0.xml file but it turns out it isn’t. When
> the
> > >> >artifact is coming from the mirrors, the Installer uses https to get
> > >>MD5
> > >> >and the apache-flex-sdk-installer-config.xml file. Should we use
> http
> > >>to
> > >> >get the MD5s as well? If so, that is a simple change we can test in
> > >>the
> > >> >nightly builds.
> > >> >
> > >> >-Alex
> > >> >
> > >> >On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
> > >> >
> > >> >>+1 here as well, especially since that would be an 'easyfix' ;-)
> > >> >>
> > >> >>EdB
> > >> >>
> > >> >>
> > >> >>
> > >> >>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
> > >> >><bi...@gmail.com> wrote:
> > >> >>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
> > >> >>>>
> > >> >>>> Another question for you guys, since I don’t have any expertise
> in
> > >> >>>>this
> > >> >>>> area, would we in fact skirt around this by hitting http for more
> > >>of
> > >> >>>>our
> > >> >>>> downloads instead of https?
> > >> >>>>
> > >> >>>
> > >> >>> +1 to hitting http by default.
> > >> >>>
> > >> >>> Thanks,
> > >> >>> Om
> > >> >>>
> > >> >>>> -Alex
> > >> >>>>
> > >> >>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com>
> > >>wrote:
> > >> >>>>
> > >> >>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> > >> >>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It
> > >>was
> > >> >>>>made
> > >> >>>> >> available in XP, if you turned it on.
> > >> >>>> >
> > >> >>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here)
> weren't.
> > >> >>>> >
> > >> >>>>
> > >> >>
> > >> >>
> > >> >>
> > >> >>--
> > >> >>Ix Multimedia Software
> > >> >>
> > >> >>Jan Luykenstraat 27
> > >> >>3521 VB Utrecht
> > >> >>
> > >> >>T. 06-51952295
> > >> >>I. www.ixsoftware.nl
> > >> >
> > >>
> > >>
> >
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
On Feb 4, 2015 5:33 PM, "Alex Harui" <ah...@adobe.com> wrote:
>
> Sounds reasonable.
>
> The AIR downloading code via URLLoader just seems sensitive. Do we know
> if we use AIR sockets and build our own http download protocol on top if
> it will bypass the IE libraries underneath?
Yes, it will. I use the as3httpclient in my projects and it should work
fine and bypass any browser based settings.
Thanks,
Om
>
> -Alex
>
> On 2/4/15, 11:03 AM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
>
> >An option we could use is to try https first. If it fails, present the
> >user to drop down to http. This should take care of all use cases, yet
> >still allow the user control the security level...
> >
> >-Nick
> >
> >On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui <ah...@adobe.com> wrote:
> >
> >> In another thread, I think Tom C says we should be using https to
> >>deliver
> >> all of our bits, which we aren’t today. What do folks think?
> >>
> >> -Alex
> >>
> >> On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >>
> >> >I thought the change to http was going to be in the
> >> >sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
> >> >artifact is coming from the mirrors, the Installer uses https to get
> >>MD5
> >> >and the apache-flex-sdk-installer-config.xml file. Should we use http
> >>to
> >> >get the MD5s as well? If so, that is a simple change we can test in
> >>the
> >> >nightly builds.
> >> >
> >> >-Alex
> >> >
> >> >On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
> >> >
> >> >>+1 here as well, especially since that would be an 'easyfix' ;-)
> >> >>
> >> >>EdB
> >> >>
> >> >>
> >> >>
> >> >>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
> >> >><bi...@gmail.com> wrote:
> >> >>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >> >>>>
> >> >>>> Another question for you guys, since I don’t have any expertise in
> >> >>>>this
> >> >>>> area, would we in fact skirt around this by hitting http for more
> >>of
> >> >>>>our
> >> >>>> downloads instead of https?
> >> >>>>
> >> >>>
> >> >>> +1 to hitting http by default.
> >> >>>
> >> >>> Thanks,
> >> >>> Om
> >> >>>
> >> >>>> -Alex
> >> >>>>
> >> >>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com>
> >>wrote:
> >> >>>>
> >> >>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >> >>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It
> >>was
> >> >>>>made
> >> >>>> >> available in XP, if you turned it on.
> >> >>>> >
> >> >>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here)
weren't.
> >> >>>> >
> >> >>>>
> >> >>
> >> >>
> >> >>
> >> >>--
> >> >>Ix Multimedia Software
> >> >>
> >> >>Jan Luykenstraat 27
> >> >>3521 VB Utrecht
> >> >>
> >> >>T. 06-51952295
> >> >>I. www.ixsoftware.nl
> >> >
> >>
> >>
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
Sounds reasonable.
The AIR downloading code via URLLoader just seems sensitive. Do we know
if we use AIR sockets and build our own http download protocol on top if
it will bypass the IE libraries underneath?
-Alex
On 2/4/15, 11:03 AM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
>An option we could use is to try https first. If it fails, present the
>user to drop down to http. This should take care of all use cases, yet
>still allow the user control the security level...
>
>-Nick
>
>On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui <ah...@adobe.com> wrote:
>
>> In another thread, I think Tom C says we should be using https to
>>deliver
>> all of our bits, which we aren’t today. What do folks think?
>>
>> -Alex
>>
>> On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> >I thought the change to http was going to be in the
>> >sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
>> >artifact is coming from the mirrors, the Installer uses https to get
>>MD5
>> >and the apache-flex-sdk-installer-config.xml file. Should we use http
>>to
>> >get the MD5s as well? If so, that is a simple change we can test in
>>the
>> >nightly builds.
>> >
>> >-Alex
>> >
>> >On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
>> >
>> >>+1 here as well, especially since that would be an 'easyfix' ;-)
>> >>
>> >>EdB
>> >>
>> >>
>> >>
>> >>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
>> >><bi...@gmail.com> wrote:
>> >>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>> >>>>
>> >>>> Another question for you guys, since I don’t have any expertise in
>> >>>>this
>> >>>> area, would we in fact skirt around this by hitting http for more
>>of
>> >>>>our
>> >>>> downloads instead of https?
>> >>>>
>> >>>
>> >>> +1 to hitting http by default.
>> >>>
>> >>> Thanks,
>> >>> Om
>> >>>
>> >>>> -Alex
>> >>>>
>> >>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com>
>>wrote:
>> >>>>
>> >>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>> >>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It
>>was
>> >>>>made
>> >>>> >> available in XP, if you turned it on.
>> >>>> >
>> >>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>> >>>> >
>> >>>>
>> >>
>> >>
>> >>
>> >>--
>> >>Ix Multimedia Software
>> >>
>> >>Jan Luykenstraat 27
>> >>3521 VB Utrecht
>> >>
>> >>T. 06-51952295
>> >>I. www.ixsoftware.nl
>> >
>>
>>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
An option we could use is to try https first. If it fails, present the
user to drop down to http. This should take care of all use cases, yet
still allow the user control the security level...
-Nick
On Wed, Feb 4, 2015 at 12:02 PM, Alex Harui <ah...@adobe.com> wrote:
> In another thread, I think Tom C says we should be using https to deliver
> all of our bits, which we aren’t today. What do folks think?
>
> -Alex
>
> On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> >I thought the change to http was going to be in the
> >sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
> >artifact is coming from the mirrors, the Installer uses https to get MD5
> >and the apache-flex-sdk-installer-config.xml file. Should we use http to
> >get the MD5s as well? If so, that is a simple change we can test in the
> >nightly builds.
> >
> >-Alex
> >
> >On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
> >
> >>+1 here as well, especially since that would be an 'easyfix' ;-)
> >>
> >>EdB
> >>
> >>
> >>
> >>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
> >><bi...@gmail.com> wrote:
> >>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >>>>
> >>>> Another question for you guys, since I don’t have any expertise in
> >>>>this
> >>>> area, would we in fact skirt around this by hitting http for more of
> >>>>our
> >>>> downloads instead of https?
> >>>>
> >>>
> >>> +1 to hitting http by default.
> >>>
> >>> Thanks,
> >>> Om
> >>>
> >>>> -Alex
> >>>>
> >>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
> >>>>
> >>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
> >>>>made
> >>>> >> available in XP, if you turned it on.
> >>>> >
> >>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
> >>>> >
> >>>>
> >>
> >>
> >>
> >>--
> >>Ix Multimedia Software
> >>
> >>Jan Luykenstraat 27
> >>3521 VB Utrecht
> >>
> >>T. 06-51952295
> >>I. www.ixsoftware.nl
> >
>
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
In another thread, I think Tom C says we should be using https to deliver
all of our bits, which we aren’t today. What do folks think?
-Alex
On 2/4/15, 8:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
>I thought the change to http was going to be in the
>sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
>artifact is coming from the mirrors, the Installer uses https to get MD5
>and the apache-flex-sdk-installer-config.xml file. Should we use http to
>get the MD5s as well? If so, that is a simple change we can test in the
>nightly builds.
>
>-Alex
>
>On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
>
>>+1 here as well, especially since that would be an 'easyfix' ;-)
>>
>>EdB
>>
>>
>>
>>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
>><bi...@gmail.com> wrote:
>>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>>>
>>>> Another question for you guys, since I don’t have any expertise in
>>>>this
>>>> area, would we in fact skirt around this by hitting http for more of
>>>>our
>>>> downloads instead of https?
>>>>
>>>
>>> +1 to hitting http by default.
>>>
>>> Thanks,
>>> Om
>>>
>>>> -Alex
>>>>
>>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>>>
>>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
>>>>made
>>>> >> available in XP, if you turned it on.
>>>> >
>>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>>>> >
>>>>
>>
>>
>>
>>--
>>Ix Multimedia Software
>>
>>Jan Luykenstraat 27
>>3521 VB Utrecht
>>
>>T. 06-51952295
>>I. www.ixsoftware.nl
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
I thought the change to http was going to be in the
sdk-installer-config-4.0.xml file but it turns out it isn’t. When the
artifact is coming from the mirrors, the Installer uses https to get MD5
and the apache-flex-sdk-installer-config.xml file. Should we use http to
get the MD5s as well? If so, that is a simple change we can test in the
nightly builds.
-Alex
On 2/4/15, 8:12 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
>+1 here as well, especially since that would be an 'easyfix' ;-)
>
>EdB
>
>
>
>On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
><bi...@gmail.com> wrote:
>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>>
>>> Another question for you guys, since I don’t have any expertise in this
>>> area, would we in fact skirt around this by hitting http for more of
>>>our
>>> downloads instead of https?
>>>
>>
>> +1 to hitting http by default.
>>
>> Thanks,
>> Om
>>
>>> -Alex
>>>
>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>>
>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
>>>made
>>> >> available in XP, if you turned it on.
>>> >
>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>>> >
>>>
>
>
>
>--
>Ix Multimedia Software
>
>Jan Luykenstraat 27
>3521 VB Utrecht
>
>T. 06-51952295
>I. www.ixsoftware.nl
RE: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Neil Madsen <li...@cranialinteractive.com>.
I just tried it out with v3.2 installer by changing the only place that
actually calls an https other than one call to goog closure for FlexJS and I
didn't get any errors during the install.
I did see in the log file and Charles a couple other https urls.
>From the log
Downloading 2.2.zip from:
https://github.com/swfobject/swfobject/archive
>From Charles
https://github.com:443
https://codeload.github.com:443
https://fonts.googleapis.com:443
https://fonts.gstatic.com:443
The quick fix is to change line 50 in 'MD5CompareUtil.as' from
public static const MD5_DOMAIN:String = "https://www.apache.org/dist/";
to
public static const MD5_DOMAIN:String = "http://www.apache.org/dist/";
This is definitely the easiest fix to apply if no one else has any problems
with installing.
Maybe the people that were having issues before could give that a try and
let us know if that does indeed fix the issue.
Neil
-----Original Message-----
From: Erik de Bruin [mailto:erik@ixsoftware.nl]
Sent: February-04-15 9:13 AM
To: dev@flex.apache.org
Cc: Paul Hastings
Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer
config?
+1 here as well, especially since that would be an 'easyfix' ;-)
EdB
On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala <bi...@gmail.com>
wrote:
> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> Another question for you guys, since I don't have any expertise in
>> this area, would we in fact skirt around this by hitting http for
>> more of our downloads instead of https?
>>
>
> +1 to hitting http by default.
>
> Thanks,
> Om
>
>> -Alex
>>
>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>
>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
>> >> made available in XP, if you turned it on.
>> >
>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>> >
>>
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Erik de Bruin <er...@ixsoftware.nl>.
However, we do need to verify that hitting HTTP doesn't cause too many
redirects (possibly to HTTPS), as I seem to remember that redirects
sometimes cause trouble for AIR and not to mention that we'd be back
to square one if that would happen...
EdB
On Wed, Feb 4, 2015 at 5:12 PM, Erik de Bruin <er...@ixsoftware.nl> wrote:
> +1 here as well, especially since that would be an 'easyfix' ;-)
>
> EdB
>
>
>
> On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
> <bi...@gmail.com> wrote:
>> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>>
>>> Another question for you guys, since I don’t have any expertise in this
>>> area, would we in fact skirt around this by hitting http for more of our
>>> downloads instead of https?
>>>
>>
>> +1 to hitting http by default.
>>
>> Thanks,
>> Om
>>
>>> -Alex
>>>
>>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>>
>>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
>>> >> available in XP, if you turned it on.
>>> >
>>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>>> >
>>>
>
>
>
> --
> Ix Multimedia Software
>
> Jan Luykenstraat 27
> 3521 VB Utrecht
>
> T. 06-51952295
> I. www.ixsoftware.nl
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Erik de Bruin <er...@ixsoftware.nl>.
+1 here as well, especially since that would be an 'easyfix' ;-)
EdB
On Wed, Feb 4, 2015 at 5:11 PM, OmPrakash Muppirala
<bi...@gmail.com> wrote:
> On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> Another question for you guys, since I don’t have any expertise in this
>> area, would we in fact skirt around this by hitting http for more of our
>> downloads instead of https?
>>
>
> +1 to hitting http by default.
>
> Thanks,
> Om
>
>> -Alex
>>
>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>
>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
>> >> available in XP, if you turned it on.
>> >
>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>> >
>>
--
Ix Multimedia Software
Jan Luykenstraat 27
3521 VB Utrecht
T. 06-51952295
I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Harbs <ha...@gmail.com>.
FWIW, when I tried to implement a socket server for Flash, I ran into more issues than with URLLoader. Although, I don’t remember any details.
On Feb 8, 2015, at 6:50 PM, Alex Harui <ah...@adobe.com> wrote:
>
>
> On 2/6/15, 2:56 PM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
>
>>
>> I have some time to implement the as3httpdlib this weekend if that is the
>> direction we want to go.
>
> Sounds good to me, go for it!
>
> -Alex
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
I've got it refactored on my own local branch, but it's a big enough change
I might submit it separately. I hate to say it, but working on this really
makes my head hurt.
I've got the as3httpdlib working on my local copy. I need a bit to clean
it up -- should have it ready this evening or tomorrow.
-Nick
On Sun, Feb 8, 2015 at 2:58 PM, OmPrakash Muppirala <bi...@gmail.com>
wrote:
> On Feb 8, 2015 8:52 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >
> >
> >
> > On 2/6/15, 2:56 PM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
> >
> > >
> > >I have some time to implement the as3httpdlib this weekend if that is
> the
> > >direction we want to go.
> >
> > Sounds good to me, go for it!
>
> And some refactoring of the main mxml file would be good, as you noted in
> one of your tweets :-)
>
> Thanks,
> Om
>
> >
> > -Alex
> >
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
On Feb 8, 2015 8:52 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
>
>
> On 2/6/15, 2:56 PM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
>
> >
> >I have some time to implement the as3httpdlib this weekend if that is the
> >direction we want to go.
>
> Sounds good to me, go for it!
And some refactoring of the main mxml file would be good, as you noted in
one of your tweets :-)
Thanks,
Om
>
> -Alex
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/6/15, 2:56 PM, "Nicholas Kwiatkowski" <ni...@spoon.as> wrote:
>
>I have some time to implement the as3httpdlib this weekend if that is the
>direction we want to go.
Sounds good to me, go for it!
-Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
Ok. Digging into this a bit more, the only time we will ever use HTTPS is
during the Installer Config download and the MD5s.
No reason why we need to be tunneling the Installer Config through HTTPS.
All it contains is localization strings for the current version. MD5 paths
(and all paths, really) are stored on the Apache DIST server, and is pulled
down via HTTP.
MD5s are actually pulled down using HTTPS, again at the Apache DIST
server. This is valuable to protect via HTTPS.
None of the Apache mirrors are serving files via HTTPS (if they are, they
aren't telling Apache about it -- or Apache isn't cataloging it).
Since nothing larger than 4k is being transferred over https, we don't have
to worry about using a raw https session that screws with TCP Window sizes
(essentially, if you try to create TCP packets too large in one shot, you
will get fragments, which causes major overhead and can cause the
download/upload speed to decrease by 60%). The proxy thing would still
need to be addressed -- but those are becoming more and more rare. No idea
how many people still use a proxy server, but they would be affected by
this unless we offer a configuration option for it.
On a side note -- if we are really worried about Man-In-The-Middle attacks,
the two things we should be protecting are the initial configuration
download (http://flex.apache.org/installer/sdk-installer-config-4.0.xml)
and the MD5s. Everything else is checked via checksums, so we are safe
there. We currently don't pull the sdk-installer-config-4.0.xml file off
HTTPS, and maybe we should. I'd vote for dropping
/dist/flex/4.14.0/binaries/apache-flex-sdk-installer-config.xml from being
pulled over https.
I have some time to implement the as3httpdlib this weekend if that is the
direction we want to go.
-Nick
On Fri, Feb 6, 2015 at 11:16 AM, OmPrakash Muppirala <bi...@gmail.com>
wrote:
> On Feb 6, 2015 7:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
> >
> >
> >
> > On 2/6/15, 1:11 AM, "Tom Chiverton" <tc...@extravision.com> wrote:
> >
> > >On 05/02/15 16:56, Alex Harui wrote:
> > >> What do others think? IMO, for 3.2 we should just do the swap of an
> AS3
> > >> native HTTP implementation and not switch our urls to HTTP or add some
> > >> checkbox. Then we can get better data on how many problems that
> change
> > >> solved or if it introduces new issues. Not that I’m volunteering to
> do
> > >> that work.
> > >I vote for doing this. As you say, there's a chance everything will Just
> > >Work with it.
> >
> > Well, Nick is saying there will be other issues. Om, have you run into
> > the issues Nick brings up?
> >
>
> No, I have not. But I've never had to deal with large downloads using this
> library. In any case, I still think we should give it a try.
>
> Thanks,
> Om
>
> > -Alex
> >
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
On Feb 6, 2015 7:37 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
>
>
> On 2/6/15, 1:11 AM, "Tom Chiverton" <tc...@extravision.com> wrote:
>
> >On 05/02/15 16:56, Alex Harui wrote:
> >> What do others think? IMO, for 3.2 we should just do the swap of an
AS3
> >> native HTTP implementation and not switch our urls to HTTP or add some
> >> checkbox. Then we can get better data on how many problems that change
> >> solved or if it introduces new issues. Not that I’m volunteering to do
> >> that work.
> >I vote for doing this. As you say, there's a chance everything will Just
> >Work with it.
>
> Well, Nick is saying there will be other issues. Om, have you run into
> the issues Nick brings up?
>
No, I have not. But I've never had to deal with large downloads using this
library. In any case, I still think we should give it a try.
Thanks,
Om
> -Alex
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
On 2/6/15, 1:11 AM, "Tom Chiverton" <tc...@extravision.com> wrote:
>On 05/02/15 16:56, Alex Harui wrote:
>> What do others think? IMO, for 3.2 we should just do the swap of an AS3
>> native HTTP implementation and not switch our urls to HTTP or add some
>> checkbox. Then we can get better data on how many problems that change
>> solved or if it introduces new issues. Not that I’m volunteering to do
>> that work.
>I vote for doing this. As you say, there's a chance everything will Just
>Work with it.
Well, Nick is saying there will be other issues. Om, have you run into
the issues Nick brings up?
-Alex
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Tom Chiverton <tc...@extravision.com>.
On 05/02/15 16:56, Alex Harui wrote:
> What do others think? IMO, for 3.2 we should just do the swap of an AS3
> native HTTP implementation and not switch our urls to HTTP or add some
> checkbox. Then we can get better data on how many problems that change
> solved or if it introduces new issues. Not that I’m volunteering to do
> that work.
I vote for doing this. As you say, there's a chance everything will Just
Work with it.
Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
I’m going to try to see if I can capture where we are:
At least one person got stuck because AIR on Windows uses IE/OS settings
that needed tweaking otherwise it blocked an HTTPS download. Yet of the
list of common failures, many others failed after getting past at least
two HTTPS downloads.
We have several votes to not use https at all. There is still a chance
that now or someday, some download that first attempts http will fail or
be redirected to https.
We have an option to replace URLLoader with an AS3 native HTTP
implementation. AIUI, there is a chance that will just solve everything
and we won’t need to care about HTTP vs HTTPS any more. Can someone
confirm?
A new idea that popped into my head is having a checkbox in the Installer
where you can select to use HTTPS. Is that practical? IMO, we’d default
to HTTP and folks who are concerned would opt in to HTTPS.
What do others think? IMO, for 3.2 we should just do the swap of an AS3
native HTTP implementation and not switch our urls to HTTP or add some
checkbox. Then we can get better data on how many problems that change
solved or if it introduces new issues. Not that I’m volunteering to do
that work.
-Alex
On 2/5/15, 6:06 AM, "Kessler CTR Mark J" <ma...@usmc.mil> wrote:
>+1 to http vs https.
>
>-Mark
>
>-----Original Message-----
>From: omuppi1@gmail.com [mailto:omuppi1@gmail.com] On Behalf Of OmPrakash
>Muppirala
>Sent: Wednesday, February 04, 2015 11:11 AM
>To: dev@flex.apache.org
>Cc: Paul Hastings
>Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer
>config?
>
>On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> Another question for you guys, since I don’t have any expertise in this
>> area, would we in fact skirt around this by hitting http for more of our
>> downloads instead of https?
>>
>
>+1 to hitting http by default.
>
>Thanks,
>Om
>
>> -Alex
>>
>> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>>
>> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was
>>made
>> >> available in XP, if you turned it on.
>> >
>> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>> >
>>
RE: [Installer - FLEX-34251] Is SSK needed for load installer
config?
Posted by Kessler CTR Mark J <ma...@usmc.mil>.
+1 to http vs https.
-Mark
-----Original Message-----
From: omuppi1@gmail.com [mailto:omuppi1@gmail.com] On Behalf Of OmPrakash Muppirala
Sent: Wednesday, February 04, 2015 11:11 AM
To: dev@flex.apache.org
Cc: Paul Hastings
Subject: Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> Another question for you guys, since I don’t have any expertise in this
> area, would we in fact skirt around this by hitting http for more of our
> downloads instead of https?
>
+1 to hitting http by default.
Thanks,
Om
> -Alex
>
> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>
> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
> >> available in XP, if you turned it on.
> >
> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
> >
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by OmPrakash Muppirala <bi...@gmail.com>.
On Feb 4, 2015 8:09 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> Another question for you guys, since I don’t have any expertise in this
> area, would we in fact skirt around this by hitting http for more of our
> downloads instead of https?
>
+1 to hitting http by default.
Thanks,
Om
> -Alex
>
> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>
> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
> >> available in XP, if you turned it on.
> >
> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
> >
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
Yes. This is purely an SSL issue in regards to new TLS certificates (other
cyptro methods were proven to be weak, so many sites/browsers aren't
supporting them anymore).
-Nick
On Wed, Feb 4, 2015 at 11:08 AM, Alex Harui <ah...@adobe.com> wrote:
> Another question for you guys, since I don’t have any expertise in this
> area, would we in fact skirt around this by hitting http for more of our
> downloads instead of https?
>
> -Alex
>
> On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>
> >On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> >> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
> >> available in XP, if you turned it on.
> >
> >1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
> >
>
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Alex Harui <ah...@adobe.com>.
Another question for you guys, since I don’t have any expertise in this
area, would we in fact skirt around this by hitting http for more of our
downloads instead of https?
-Alex
On 2/4/15, 8:05 AM, "Paul Hastings" <pa...@gmail.com> wrote:
>On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
>> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
>> available in XP, if you turned it on.
>
>1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
Posted by Paul Hastings <pa...@gmail.com>.
On 2/4/2015 10:52 PM, Nicholas Kwiatkowski wrote:
> Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
> available in XP, if you turned it on.
1.0 was on by default, 1.1 & 1.2 (guess the culprit here) weren't.
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
(was: "Re: sdk 4.14.0 100% install failures")
Posted by Nicholas Kwiatkowski <ni...@spoon.as>.
Anything Vista+/Mac OS10.4+ has TLS turned on by default. It was made
available in XP, if you turned it on.
-Nick
On Wed, Feb 4, 2015 at 10:30 AM, Tom Chiverton <tc...@extravision.com> wrote:
> On 04/02/15 15:23, Alex Harui wrote:
>
>> I wonder if on Windows, the Installer should pop an alert when finding a
>> download error and suggest that folks use Internet Explorer to hit the
>> failing download.
>>
>
> At the very least, it'll provide an immediate data point if they report
> it, and may aid people in self-diagnosing the issue.
>
> TLS 1.x is fast becoming mandatory for SSL connections. This page
> http://blogs.msdn.com/b/kaushal/archive/2011/10/02/
> support-for-ssl-tls-protocols-on-windows.aspx
> has a chart showing TLS support by O/S, and indicates Windows 7 should
> support it, I assume by default.
>
> Tom
>
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
(was: "Re: sdk 4.14.0 100% install failures")
Posted by Tom Chiverton <tc...@extravision.com>.
On 04/02/15 15:23, Alex Harui wrote:
> I wonder if on Windows, the Installer should pop an alert when finding a
> download error and suggest that folks use Internet Explorer to hit the
> failing download.
At the very least, it'll provide an immediate data point if they report
it, and may aid people in self-diagnosing the issue.
TLS 1.x is fast becoming mandatory for SSL connections. This page
http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx
has a chart showing TLS support by O/S, and indicates Windows 7 should
support it, I assume by default.
Tom
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
(was: "Re: sdk 4.14.0 100% install failures")
Posted by Alex Harui <ah...@adobe.com>.
Hi Paul,
Thanks for finding that.
I wonder if on Windows, the Installer should pop an alert when finding a
download error and suggest that folks use Internet Explorer to hit the
failing download.
Thoughts?
-Alex
On 2/4/15, 1:08 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:
>Please continue discussion on this issue in this thread.
>
>Thanks,
>
>EdB
>
>
>
>On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin <er...@ixsoftware.nl> wrote:
>> Good find!
>>
>> This issue matches the following JIRA issue:
>> https://issues.apache.org/jira/browse/FLEX-34251
>>
>> Please use that to work on this bug. I also changed the subject to
>> make the reference more obvious ;-)
>>
>> EdB
>>
>>
>>
>> On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings <pa...@gmail.com>
>>wrote:
>>> On 2/4/2015 6:36 AM, Justin Mclean wrote:
>>>>
>>>> Hi,
>>>>
>>>>> I just tried it on windows, everything went fine without errors.
>>>
>>>
>>> IE8 (64 bit) on windows 7 failed to connect to the
>>> apache-flex-sdk-installer-config.xml URL, getting
>>>
>>> "There is a problem with this website's security certificate.." error.
>>>i
>>> went into tools==>advanced==>security & turned on TLS 1.1 & TLS 1.2.
>>>IE8
>>> could connect ok after that.
>>>
>>> next tried the installer again & holy crap worked ok first time.
>>>
>>> this is disturbing at a couple of levels.
>>>
>>> - i suppose IE is as good a choice as any to pick up internet options
>>>for
>>> consumer apps but for devs its kind of out in left field. is this
>>>documented
>>> anyplace? if not, somebody should probably spread the word.
>>>
>>> - the folks who accounted for the 93% windows successful installs need
>>>to
>>> turn in their nerd cards for having a working IE browser ;-)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>> --
>> Ix Multimedia Software
>>
>> Jan Luykenstraat 27
>> 3521 VB Utrecht
>>
>> T. 06-51952295
>> I. www.ixsoftware.nl
>
>
>
>--
>Ix Multimedia Software
>
>Jan Luykenstraat 27
>3521 VB Utrecht
>
>T. 06-51952295
>I. www.ixsoftware.nl
Re: [Installer - FLEX-34251] Is SSK needed for load installer config?
(was: "Re: sdk 4.14.0 100% install failures")
Posted by Tom Chiverton <tc...@extravision.com>.
The IE 'internet options' are actually the Windows internet options,
it's a left over from when IE was illegally tied to Windows.
The question is what are the default settings there - if the defaults
are for those options to be on we don't need to worry ?
Tom
On 04/02/15 09:08, Erik de Bruin wrote:
> Please continue discussion on this issue in this thread.
>
> Thanks,
>
> EdB
>
>
>
> On Wed, Feb 4, 2015 at 10:06 AM, Erik de Bruin <er...@ixsoftware.nl> wrote:
>> Good find!
>>
>> This issue matches the following JIRA issue:
>> https://issues.apache.org/jira/browse/FLEX-34251
>>
>> Please use that to work on this bug. I also changed the subject to
>> make the reference more obvious ;-)
>>
>> EdB
>>
>>
>>
>> On Wed, Feb 4, 2015 at 9:55 AM, Paul Hastings <pa...@gmail.com> wrote:
>>> On 2/4/2015 6:36 AM, Justin Mclean wrote:
>>>> Hi,
>>>>
>>>>> I just tried it on windows, everything went fine without errors.
>>>
>>> IE8 (64 bit) on windows 7 failed to connect to the
>>> apache-flex-sdk-installer-config.xml URL, getting
>>>
>>> "There is a problem with this website's security certificate.." error. i
>>> went into tools==>advanced==>security & turned on TLS 1.1 & TLS 1.2. IE8
>>> could connect ok after that.
>>>
>>> next tried the installer again & holy crap worked ok first time.
>>>
>>> this is disturbing at a couple of levels.
>>>
>>> - i suppose IE is as good a choice as any to pick up internet options for
>>> consumer apps but for devs its kind of out in left field. is this documented
>>> anyplace? if not, somebody should probably spread the word.
>>>
>>> - the folks who accounted for the 93% windows successful installs need to
>>> turn in their nerd cards for having a working IE browser ;-)
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>> --
>> Ix Multimedia Software
>>
>> Jan Luykenstraat 27
>> 3521 VB Utrecht
>>
>> T. 06-51952295
>> I. www.ixsoftware.nl
>
>