TLS_CLIENT_OPEN?

a_riot42

I see in the latest NX firmware there are two new commands, TLS_CLIENT_OPEN and TLS_CLIENT_CLOSE. Neither seem to have any documentation that I can find. So I'm wondering if these can be used to create an encrypted connection to a HTTPS website. Anyone know?
Paul

ericmedley

I think they're still baking that cookie. It's supposed to show up in NS4 sometime soon. I don't see it in my NS version 4.3.1519 which I believe is the most current. It was discussed at Developers Conference in Aug but no release date specified then. But, it is surely coming soon as they need to have the ability to create/manage secure telnet-esque comms to maintain their security credentials. Msut protect those DoD/NSA/Military contracts don't cha know...

vincen

There is a new NSX in the cooker that implement these commands

a_riot42

vincen wrote: »

There is a new NSX in the cooker that implement these commands

Yup. Here's what it says. So we should hopefully be able to connect to HTTPS sites now. I haven't had a chance to test it yet, so I don't know if it will slow things down or still be fairly fast. But I was hoping to be able to connect to Twitter, and other mainstream HTTPS sites.
[h=1]TLS_CLIENT_OPEN[/h] Opens a port for TLS communication with a remote device.
Syntax:
integer TLS_CLIENT_OPEN(LocalPort, hostname, port, mode)
Parameters:

• LocalPort- A user-defined (non-zero) integer value representing the local port on the client machine to use for this conversation. This local port number must be passed to TLS_CLIENT_CLOSE to close the conversation.
• hostname - The host name or IP address of the remote host.
• port - The connecting port on the remote host, usually port 443 for standard HTTPS connections.
• mode - 0: TLS_VALIDATE_CERTIFICATE (perform certificate validation), 1: TLS_IGNORE_CERTIFICATE_ERRORS (connect to the remote site while ignoring certificate errors or mismatches)

Returns:
This function returns 0 is all parameters are accepted, or a positive value indicating the offending parameter if there is an error.
Example:
TLS_CLIENT_OPEN(5000, '192.168.0.1', 443, 0)

MLaletas

Awesome can't wait to test it out on monday

a_riot42

I tried it out yesterday. It requires the latest FW. It works similarly to IP_CLIENT_OPEN and so I connected to the www.amazon.com site and downloaded their home page, all 78KBs of it. Didn't seem to have any issues, and couldn't really tell if there was any extra latency when compared to IP_CLIENT_OPEN. So far so good.
Paul

ericmedley

a_riot42 wrote: »

I tried it out yesterday. It requires the latest FW. It works similarly to IP_CLIENT_OPEN and so I connected to the www.amazon.com site and downloaded their home page, all 78KBs of it. Didn't seem to have any issues, and couldn't really tell if there was any extra latency when compared to IP_CLIENT_OPEN. So far so good.
Paul

I know early on there was an issue with it not being able to handle one particular flavor of SSH. It reared up on with a FW release from Cisco on the SX 80 about 9 months ago. They have since fixed the issue. I'm personally very happy they have it now. Things were going to start to get ugly now that a lot of manufacturers were converting from raw TELNET to SSH. Even Biamp is switching over on the Tesira soon. (or at least having both)

TonyAngelo

Just got off the phone with tech support and apparently with the new firmware ip_client_open works with https. I just tested it and it worked for me.

Also, in the new version of NS, in the Tools menu, is a "Certificate Manager" if you need to use your own certificates.

ericmedley

TonyAngelo wrote: »

Just got off the phone with tech support and apparently with the new firmware ip_client_open works with https. I just tested it and it worked for me.

Also, in the new version of NS, in the Tools menu, is a "Certificate Manager" if you need to use your own certificates.

Not to be all 'gushy' about this. but, this is really good news.