How does Net.HttpRequest handle SSL Server Check for Hosted Sites

Caché

We are trying to connect a RSS feed to a HealthShare PHR app, the RSS feed located here (link). Upon doing so I get a certificate  server mismatch error, so I tried testing this out in the terminal as follows to see why this would be happening:

set net = ##class(%Net.HttpRequest).%New()

set net.SSLConfiguration = "TestWithTLS"

set net.SSLCheckServerIdentity=1

set net.Server = "www.hixny.org"

set net.Port = "443"

set net.Https = 1

set st = net.Get("/about/news?format=feed&type=rss")

 

The Error returned is: 

zw st

st"0 "_$lb($lb(6156,"www.hixny.org","woodlandhill.org,www.woodlandhill.org",,,,,,,$lb(,"HSPORTALTEST",$lb("e^zCheckSSLCN+48^%Net.HttpRequest.1^1","e^zSend+188^%Net.HttpRequest.1^1","e^zGet+1^%Net.HttpRequest.1^1","e^^^0"))))/* ERROR #6156: No match between server name 'www.hixny.org' and SSL certificate values 'woodlandhill.org,www.woodlandhill.org'. */

 

I think the issue is related to redirects and at what point the HttpRequest actually initiates the SSL handshake. Reading some of the comments in the Net.HttpRequest.Send method, it looks like its opening the TCP/IP socket and sending some bytes down the socket before checking the SSL cert. This doesn't seem to be an issue in browser (Chrome) or a C# fiddle so I was hoping someone could help me out here and shed some light on this or let me know if they've had similar issues accessing hosted sites via HTTPS.

 

FWIW; www.woodlandhill.org and www.hixny.org resolve to the same IP address: 162.209.58.85 which I think is owned by www.solasus.com as www.solasus.com also resolves to that same IP; however navigating to each of the sites in a browser seems to work fine and each sites' SSL certificate is retrieved. Although if you do navigate to the IP directly https://162.209.58.85 you get the woodlandhill.org cert. 

 

The Cache version is 2017.1.1

 

Thanks,

Cody

 

  • 0
  • 0
  • 236
  • 2
  • 2

Answers

The easiest solution would be

set net.SSLCheckServerIdentity=0

that disables server cert checking. Not very secure obviously.

Hi Eduard: 

Yes this would work but we won't be able to make this change because the standard HealthShare PHR application doesn't allow for this setting to be changed via the workbench.