nsIChannel for internal domains
Hi all, My requirement is to fetch a website's SSL server certificate. For this I need the nsIChannel, so that I can use the securityInfo option. I need to fetch nsIChannel for a websites internal domains too. For example, I have a website A and within that you may have requests to another website B (may be an image server). In this case, will you be able to get the nsIChannel for both the domains A and B ? I did the following using a JS XPCOM component: 1. registered an observer for "http-on-modify-request" 2. queried nsIChannel and nsIHttpChannel 3. in the onModifyRequest Listener, I used notificationCallbacks and created instance for nsIDocShell through nsIInterfaceRequestor 4. used getDocShellEnumerator to get the docShell of all the children 5. used securityUI from the docShell to fetch the certificate I tried by simply using the nsIChannel alone instead of going through all the above mentioned stuff. But I'm able to get the server certificate of the master domain only (domain present in the navigation bar of the browser). ie. In my case, the server certificate of website A is available but not that of B. I think I'm going wrong in fetching the proper nsIChannel. How can this be done or is there some other possibilities to fetch the SSL server certificate of an internal domain ? Thanks in advance, Arun -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nsIChannel for internal domains
Thankx Peter, But how is the registration for nsIRequestObserver done. I tried out many options, but in no way I'm able to query the nsISSLStatus interface through nsIRequestObserver. regards, Arun On Jun 25, 6:07 pm, Peter Djalaliev wrote: > Hi, > > The images are also fetched through HTTP GET requests, right? "http- > on-modify-request" is domain-independent, i.e it will notify you of > every outgoing HTTP request, both to websites A and B. For example, > assuming that A is the main web server and B is the image server, you > should see one or more HTTP request events to A and one or more HTTP > request events to B. If both use SSL, you should be able to get both > of their server certificates. > > I haven't checked this well, but is it possible that the SSL > connection is not always established when the "http-on-modify-request" > fires? It looks like Firefox 3 notifes "http-on-modify-request" > listeners during: > 1) > HttpChannel->AsyncOpen():http://mxr.mozilla.org/firefox/source/netwerk/protocol/http/src/nsHtt... > 2) > HttpChannel->DoAuthRetry():http://mxr.mozilla.org/firefox/source/netwerk/protocol/http/src/nsHtt... > > So, checking certificates when "http-on-modify-request" fires may or > may not work, I'm not sure. > > Another way of doing what you want, which sounds like it should work, > is to register an nsIRequestObserver listener and, in the > OnStartRequest() callback, use the nsISSLStatus interface to access > the certificate. > > I hope this helps. > > Best Regards, > Peter Djalaliev > > On Jun 25, 12:50 am, MAK wrote: > > > > > Hi all, > > > My requirement is to fetch a website's SSL server certificate. For > > this I need the nsIChannel, so that I can use the securityInfo > > option. > > > I need to fetch nsIChannel for a websites internal domains too. > > For > > example, I have a website A and within that you may have requests to > > another website B (may be an image server). > > > In this case, will you be able to get the nsIChannel for both the > > domains A and B ? > > > I did the following using a JS XPCOM component: > > 1. registered an observer for "http-on-modify-request" > > 2. queried nsIChannel and nsIHttpChannel > > 3. in the onModifyRequest Listener, I used notificationCallbacks and > > created instance for nsIDocShell through nsIInterfaceRequestor > > 4. used getDocShellEnumerator to get the docShell of all the children > > 5. used securityUI from the docShell to fetch the certificate > > > I tried by simply using the nsIChannel alone instead of going > > through all the above mentioned stuff. But I'm able to get the server > > certificate of the master domain only (domain present in the > > navigation bar of the browser). > > > ie. In my case, the server certificate of website A is available > > but not that of B. > > > I think I'm going wrong in fetching the proper nsIChannel. How can > > this be done or is there some other possibilities to fetch the SSL > > server certificate of an internal domain ? > > > Thanks in advance, > > Arun -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nsIChannel for internal domains
Thankx a lot Peter This works fine. But as you mentioned this is not possible with the older series browsers. So I just tried to fetch the certificate when "http-on- examine-response" is fired. I could fetch the certificates of all the internal domains. So can this be used as such or still I need to use the nsITracableChannel due to some other controversies. Will there be any problems in querying the nsISSLStatus interface within "http-on-examine-response" ? regards Arun On Jun 26, 8:08 pm, Peter Djalaliev wrote: > Arun, > > One way is to register a nsIStreamListener using the > nsITraceableChannel interface of the HTTP channel. Your > nsIStreamListener will need to implement onStartRequest(), > onStopRequest() and onDataAvailable(). In your case, however, the > last two will just be almost empty methods. In onStartRequest(), you > can get the nsISSLStatus from the HTTP channel. > > You can register your nsIStreamListener using the "http-on-examine- > response". When the event fires, you get the nsITraceableChannel > interface from the HTTP channel and and replace the original stream > listener with your own. Be sure to keep a pointer to the original > stream listeners. Each of your methods above must call in the end the > corresponding method from the original listener. Otherwise whatever > initiated the the request (e.g. the docshell) will be out-of-sync with > the networking library. > > Ideally, you shouldn't do anything in onDataAvailable() but call the > original stream listener. Otherwise, performance may degrade > noticeably. > > You can find more info and sample code > here:http://www.softwareishard.com/blog/firebug/nsitraceablechannel-interc... > > Note that nsITraceableChannel was introduced in Firefox 3.0.3.. For > earlier versions, I don't know if there is a way to get the > nsISSLStatus. From what I can see in the Firefox source code, only > the module that initiated the HTTPS request can get this information. > > I hope this helps. > > Best Regards, > Peter Djalaliev > > On Jun 26, 2:40 am, MAK wrote: > > > > > Thankx Peter, > > > But how is the registration for nsIRequestObserver done. I tried > > out many options, but in no way I'm able to query the nsISSLStatus > > interface through nsIRequestObserver. > > > regards, > > Arun -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nsIChannel for internal domains
Peter, using http-on-examine-response is working fine in all the versions of firefox starting from 1.5.0.4; I haven't tested it below that. and thankx a lot for your comments regards, Arun On Jun 30, 1:12 am, Peter Djalaliev wrote: > Hi Arun, > > You are right, this should work. The http-on-examine-response fires > when Firefox receives an HTTP response: > > http://mxr.mozilla.org/firefox/source/netwerk/protocol/http/src/nsHtt... > > The first response arrives after the TLS connection has been > established, so the channel should always have the server certificate > at this point. > > I couldn't find information about when http-on-examine-response was > introduced, but it was definitely earlier than nsITraceableChannel. > > Peter > > On Jun 29, 4:29 am, MAK wrote: > > > > > Thankx a lot Peter > > > This works fine. > > > But as you mentioned this is not possible with the older series > > browsers. So I just tried to fetch the certificate when "http-on- > > examine-response" is fired. > > > I could fetch the certificates of all the internal domains. So can > > this be used as such or still I need to use the nsITracableChannel due > > to some other controversies. > > > Will there be any problems in querying the nsISSLStatus interface > > within "http-on-examine-response" ? > > > regards > > Arun > > > On Jun 26, 8:08 pm, Peter Djalaliev wrote: > > > > Arun, > > > > One way is to register a nsIStreamListener using the > > > nsITraceableChannel interface of the HTTP channel. Your > > > nsIStreamListener will need to implement onStartRequest(), > > > onStopRequest() and onDataAvailable(). In your case, however, the > > > last two will just be almost empty methods. In onStartRequest(), you > > > can get the nsISSLStatus from the HTTP channel. > > > > You can register your nsIStreamListener using the "http-on-examine- > > > response". When the event fires, you get the nsITraceableChannel > > > interface from the HTTP channel and and replace the original stream > > > listener with your own. Be sure to keep a pointer to the original > > > stream listeners. Each of your methods above must call in the end the > > > corresponding method from the original listener. Otherwise whatever > > > initiated the the request (e.g. the docshell) will be out-of-sync with > > > the networking library. > > > > Ideally, you shouldn't do anything in onDataAvailable() but call the > > > original stream listener. Otherwise, performance may degrade > > > noticeably. > > > > You can find more info and sample code > > > here:http://www.softwareishard.com/blog/firebug/nsitraceablechannel-interc... > > > > Note that nsITraceableChannel was introduced in Firefox 3.0.3.. For > > > earlier versions, I don't know if there is a way to get the > > > nsISSLStatus. From what I can see in the Firefox source code, only > > > the module that initiated the HTTPS request can get this information. > > > > I hope this helps. > > > > Best Regards, > > > Peter Djalaliev > > > > On Jun 26, 2:40 am, MAK wrote: > > > > > Thankx Peter, > > > > > But how is the registration for nsIRequestObserver done. I tried > > > > out many options, but in no way I'm able to query the nsISSLStatus > > > > interface through nsIRequestObserver. > > > > > regards, > > > > Arun -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
