bLight
Registered User
Registered User
Posts: 39
Joined: Wed Jan 11, 2017 2:42 pm

API broken since HTTPS implementation

Mon Dec 10, 2018 2:48 pm

There are three issues I identified:

1. When trying to connect using "HTTPS" url and WinAPI (InternetOpenUrl), I get an "ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED" error. I think something is misconfigured server-side, why does the client need a certificate?

2. If I try to use http, the web server redirect to https and corrupts (duplicates) the parameter list, possibly breaking backward compatibility with some apps using the API, you can test this in a browser.

3. Why are you forcing HTTP to redirect to HTTPS on the API? If the user doesn't care about encryption/privacy and cares more about speed, HTTP should be the way to go as HTTP queries are a lot faster than HTTPS.

For TheMovieDB plugin I implemented, I made it a user choice whether to use HTTP or HTTPS.

User avatar
zag
Site Admin
Site Admin
Posts: 1203
Joined: Wed Jun 06, 2012 9:19 am
Country: United Kingdom

Re: API broken since HTTPS implementation

Tue Dec 11, 2018 3:31 pm

Hmm I thought this was all fixed with the upgrade to TLS 1.3 with a dedicated certificate, i see you posted on the other thread where there were issues.

I must admit I have not tested in firefox but it does work OK in Chrome, Safari and Edge for my limited testing. I will give it a go.

The site won't be returning to HTTP links as the full link is stored in the database so we need to standardise and be modern/secure.

bLight
Registered User
Registered User
Posts: 39
Joined: Wed Jan 11, 2017 2:42 pm

Re: API broken since HTTPS implementation

Tue Dec 11, 2018 11:01 pm

My problem is not so much firefox as that standard Windows API functions for downloading a URL (e.g. InternetOpenUrl) are failing... (with ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED).

I actually managed to get around this issue (see below), but I believe the work-around is actually causing extra server load on TheAudioDB and I believe that every other client is doing something similar so you may want to look into it.

Here's the documentation page for that error:
https://docs.microsoft.com/en-us/window ... eterrordlg

But basically, here's the important bit (from the article):
The server is requesting a client certificate.

The return value for this error is always ERROR_SUCCESS, regardless of whether or not the user has selected a certificate. If the user has not selected a certificate then anonymous client authentication will be attempted on the subsequent request.

Return to “Developers”