I am looking to add a client-version-check on a opensource client. I am new to coding but am researching as I work on "real projects" so this is more about the most efficient way of doing what I am trying to do. I am unable to find someone with a similar question, or I am just missing the keywords necessary to search for them.
What I want is; the client is assigned version number: 12, it checks with a server if 12 matches with a server value(can be as simple as sending the message 12 to any client that connects to the server). If it does it just opens up a message box client side stating that it is the correct version, a not correct version box if it doesn't match, and a cannot check message if it could not connect to the server.
If anyone can point me in the right direction of commands and other things I should look at that would be much appreciated. I apologize if my formatting is incorrect and if this question has been answered before.
When any client connects to the server
The clients writes write( int__fd, const void*__buf, size_t__nbytes) (used for sending data to server)
the server reads read( int__fd, const void*__buf, size_t__nbytes)
Server already has a set of values. Compare the send value with the list. If YES write to server version ok
If you dont know how to create socket, listen, bind ... etc would gladly help
The expected result is "correct version", and you should not bother the user with all things that are correct. That's the expectation anyway. Also, you already have existing code in the project to exchange messages with the server and show UI messages, so we can't really help you with that.
The algorithm of your version check is correct, though. Do remember to test how the client handles server upgrades (which may require some downtime, if only to disconnect old client versions)
Related
I have code that was tested (and approved) using HTTP requests. Release was scheduled for tomorrow... but the first test of our client against the (third party) release server reveals that it demands HTTPS. At least superficially, the one (and only?) part of our code that will need to change is:
HTTPClientSession session( myUri.GetHost(), myUri.GetPort() );
And the change required seems to be:
HTTPSClientSession session( myUri.GetHost(), myUri.GetPort(), context );
What is a simple, direct way to establish that context? My closest guess is to follow the lead of this question, but...
I am blissfully ignorant of the SSL layer that supports HTTPS - do I need to obtain a certificate? This question seems to suggest that client connections like mine generally don't need a certificate (the access to the server requires a login)... but if that's the case... what do you do instead? Am I even right to use an HTTPSClientSession?
First, you'll need to add a layer of SSL functionality to Poco by installing OpenSSL. Build OpenSSL and the corresponding Poco modules (taking care to produce the correct 32- or 64-bit versions for your deployment). On Windows, this will add libssl.dll, libcrypto.dll, PocoNetSSL.dll and PocoCrypto.dll to the DLLs you are already using.
When it comes to the code, this question has two answers that both give informative examples of how to use HTTPSClientSession. The first answer adds only a single line of code to what you already have, but it uses VERIFY_NONE, and so bypasses certificate verification. The second answer uses VERIFY_STRICT and goes to the other extreme. Whether you choose either, or something in between, will depend on your application. In my application, HTTPS had essentially no benefit at all, and the first (simpler) answer worked immediately out of the box. The second answer did not immediately work, so I can't comment further on it.
I'm writing a transparent intercepting HTTPS capable proxy using boost::asio + openSSL. I have a default server context where I specify that the server is a TLSv1.2 server, when a client connects, I extract the host from the hello and use SSL_set_SSL_CTX to set the context (which either already exists or I've just created it after spoofing the upstream cert) and initiate the server (downstream) read/write volley as well as the upstream.
This was working before I started storing and sharing contexts. On each new incoming connection, I was creating a new client socket and context, loading ca-bundle as verify file, then creating a new server context, getting the spoofed certificate. It was functioning, but I started developing issues where EC_KEY objects were being double freed and such. I learned from another question of mine that I was going about this the wrong way and began refactoring to recycle and share CTX objects. To be specific, I'm using a single client CTX shared across the board that loads, at program startup, the CA-Bundle for verification.
However, since this refactor, I'm getting this on both the client and the server:
decryption failed or bad record mac
..mixed with a bajillion "short read"s. If I try to force everything TLSv1.2, I get
block cipher pad is wrong
Those errors are given to me after a read/write has failed and I call async_shutdown on either upstream or downstream sockets, which in the callback, error is set (so the shutdown failed).
I've scoured the interwebs finding jira posts from places like apache httpd and nginx where this error was fixed in different ways (resizing read buffers to be larger, openSSL patches, forcing SSLv3, so on and so forth).
I thought there might be an issue with multithreading (my io-service uses a thread pool) but I can see in the code that boost do_init sets locking mechanics for openSSL and all of my IO are wrapped into a single strand.
I'm at a total loss and am wondering if anyone can shed light on what might be happening. I realize I've posted no code, that's because I've got hundreds and hundreds of lines of it and don't want to turn people off with a huge code dump. I realize however this is a rather complicated program and thus a complicated issue so please ask and I'll provide whatever I can.
Edit
I guess I should mention for completeness that I'm getting these errors on both openssl 1.0.2 and 1.0.2a, Win 8.1 x64 and I'm intercepting and routing the http/https traffic through my proxy with with WinDivert.
Edit 2
Reduced entire program to 1 thread, same effect. Created new client CTX for each client connection, same issue. Tried disabling AES-NI, issue persists. Tried different computer, same effect. Recompiled openssl from source (was using precompiled binaries), issue persists. Tried setting additional OP_ workaround flags described in current docs related to downgrade detection, padding bugs, so on and so forth, issue persist. I think I'll just start randomly mashing the keyboard and compile button soon.
I was going to just delete this question, but I decided to answer it in light of the fact that nowhere on the net (that I could find) actually pointed to a correct solution to this problem. I've read every single report about this error that one could find and every single one of those reports, the people "solved" or "reduced" this error in a different way. Every single one of them, a different solution. This is what helped make this issue so difficult to reason out, because everyone everywhere has a different underlying causal explanation.
It's complicated, ready? This error will present itself if you cancel/abort a pending async SSL operation. Mind->boom(). It'll be even more confusing if you do what the docs say and use async_shutdown to do so, because even the call back to async_shutdown will fail (error code is set) and your error message will randomly be something stupid like "decryption failed or bad record mac" or "block cipher pad is wrong" or "SSLv3 alert!" so on and so forth. When seeing errors like this, ignore the errors and analyze the control flow of your IO ops, somewhere you're either prematurely ending them or getting them out of order.
In my case, the premature end was (sort of) intentional, since during this stupid heavy refactor I decided to change things outside the scope of the problem, like my HTTPHeader parser, which I bugged out and ended up cause it to fail nearly 100% and thus aborting the connections. :) The error strings were masking the real cause by telling me encryption failed for some reason or another. Dumb mistake I know, but I take comfort in being the first one (apparently) to recognize it. :)
Open a powershell and type this
(Invoke-WebRequest -Uri status.dev.azure.com).StatusDescription
https://devblogs.microsoft.com/devops/deprecating-weak-cryptographic-standards-tls-1-0-and-1-1-in-azure-devops-services/
Well, three questions in less then 24 hours.But I suppose the lack of any helpful documentation (that i can find anyway) gives me no choice.
now i know all about the security stuff adobes got going, the policy file deal and sandbox limitations that have to be juggled around. ive done the suggested options changes, allowing network access in my AS3 project. I got my server ready to spit the policy file out instantly upon connection; but the problem is flash/AS3 whatever you wanna call it simply doesn't see my server (or the other way around)
AS3 delays for a few seconds, like the documentation say it will if its struggling to make a connection/find the policy file, but it never makes a connection period, tries for a while and then gives up and spits me a access error (because it didn't find the policy file it assumes its not allowed on the network so it get mad at me for trying... lil stubborn buggers)
Flash never gets what its looking for, and my server never detects any connections (failed or succeeded, nothing) I know my server is good because i've tested it with a test client i wrote in C++ and they talk just like best friends.
So I'm pretty much and a loss for ideas now, I thought about re-creating the winsock classes in AS3, but i don't even know how the connect() function fro winsock actually works; i got the declaration, no definition for it that i can find.
I am not sure what you would really need from my source code, but there's over a thousand lines in the client alone already so posting it all isn't really an option. ill give here what i think is relevant at least.
function hwndEnterFrame(e:Event):void
{
//trace("Frame Entered");
if (firstframe)
{
trace("try to reconcile policy file...");
//Security.loadPolicyFile("192.168.1.2:843");
TSocket = new Socket("192.168.1.2",843);//must call flush() to send data***
firstframe = false;
}
The Security.loadpolicyfile doesnt seem to do anything as far ive noticed, i get the same msgs with or without it, the code seems to be looking for the policy file at the location specified in the socket declaration. Everything compiles fine, it just ain't doing what i want it do :P everyone else seems to be writing their servers in Perl or Python i haven't found much of an abundance of C++ material, although from what i understand TCP is a universal connection across any platform that supports it (can cross-language without any funny-business)
meh, that what i got for now, if you want other parts of the code (client or sever side, whatever you want) ill stick it up here quick-like.
EDIT:
I found a swf online that i downloaded, it connected fine to the example server that came with it (but that server was written in c sparp so its not much use to me) but it wont connect to my server. So a known good flash client WONT connect to my C++ server, but a C++ client WILL connect to my C++ server. So its clearly somthing on the server side, becuase it dosnt hear any connection whatsoever from the flash apps (mine or the expamle one)
Cheers;
-Tyler
I finally figured it out. I needed to AllowDomian(IPofserver). I thought I had already tried that but apparently not.
I'm developing an app for Symbian device that need to silent filter incoming SMS, and the following link is the code that does that:
http://symbian.devtricks.mobi/tricks/silent_receiving_of_sms_messages/
another similar code on Nokia
http://wiki.forum.nokia.com/index.php/SMS_Utilities_API
It work, but the problem is after I reboot my phone those SMS has been intercept will still add to inbox. I know on the site they did mention to use KIoctlReadMessageSucceeded to prevent that, which I did; but the problem still there. Tried both code but still same result. Is there anything I'm missing?
Another problem with that code is that it will no longer work after a call came in, sms won't be intercept anymore after that. Is that a way to fix that?
Thanks, help would be greatly appreciated.
We regards to not intercepting SMS after a reboot, are you re-starting your executable (and hence the listener) after a reboot?
You can do so with the Nokia startup list management API.
With regards to failing after a call has come in, this sounds like your executable may be panicing (and thus stopping listening). Have you checked to see if it is panicing and whether it is still running after a call has come in?
I've done this kind of application before, and never had any problem with incoming calls.
Trying to honor a feature request from our customers, I'd like that my application, when Internet is available, check on our website if a new version is available.
The problem is that I have no idea about what have to be done on the server side.
I can imagine that my application (developped in C++ using Qt) has to send a request (HTTP ?) to the server, but what is going to respond to this request ? In order to go through firewalls, I guess I'll have to use port 80 ? Is this correct ?
Or, for such a feature, do I have to ask our network admin to open a specific port number through which I'll communicate ?
#pilif : thanks for your detailed answer. There is still something which is unclear for me :
like
http://www.example.com/update?version=1.2.4
Then you can return what ever you want, probably also the download-URL of the installer of the new version.
How do I return something ? Will it be a php or asp page (I know nothing about PHP nor ASP, I have to confess) ? How can I decode the ?version=1.2.4 part in order to return something accordingly ?
I would absolutely recommend to just do a plain HTTP request to your website. Everything else is bound to fail.
I'd make a HTTP GET request to a certain page on your site containing the version of the local application.
like
http://www.example.com/update?version=1.2.4
Then you can return what ever you want, probably also the download-URL of the installer of the new version.
Why not just put a static file with the latest version to the server and let the client decide? Because you may want (or need) to have control over the process. Maybe 1.2 won't be compatible with the server in the future, so you want the server to force the update to 1.3, but the update from 1.2.4 to 1.2.6 could be uncritical, so you might want to present the client with an optional update.
Or you want to have a breakdown over the installed base.
Or whatever. Usually, I've learned it's best to keep as much intelligence on the server, because the server is what you have ultimate control over.
Speaking here with a bit of experience in the field, here's a small preview of what can (and will - trust me) go wrong:
Your Application will be prevented from making HTTP-Requests by the various Personal Firewall applications out there.
A considerable percentage of users won't have the needed permissions to actually get the update process going.
Even if your users have allowed the old version past their personal firewall, said tool will complain because the .EXE has changed and will recommend the user not to allow the new exe to connect (users usually comply with the wishes of their security tool here).
In managed environments, you'll be shot and hanged (not necessarily in that order) for loading executable content from the web and then actually executing it.
So to keep the damage as low as possible,
fail silently when you can't connect to the update server
before updating, make sure that you have write-permission to the install directory and warn the user if you do not, or just don't update at all.
Provide a way for administrators to turn the auto-update off.
It's no fun to do what you are about to do - especially when you deal with non technically inclined users as I had to numerous times.
Pilif answer was good, and I have lots of experience with this too, but I'd like to add something more:
Remember that if you start yourapp.exe, then the "updater" will try to overwrite yourapp.exe with the newest version. Depending upon your operating system and programming environment (you've mentioned C++/QT, I have no experience with those), you will not be able to overwrite yourapp.exe because it will be in use.
What I have done is create a launcher. I have a MyAppLauncher.exe that uses a config file (xml, very simple) to launch the "real exe". Should a new version exist, the Launcher can update the "real exe" because it's not in use, and then relaunch the new version.
Just keep that in mind and you'll be safe.
Martin,
you are absolutely right of course. But I would deliver the launcher with the installer. Or just download the installer, launch it and quit myself as soon as possible. The reason is bugs in the launcher. You would never, ever, want to be dependent on a component you cannot update (or forget to include in the initial drop).
So the payload I distribute with the updating process of my application is just the standard installer, but devoid of any significant UI. Once the client has checked that the installer has a chance of running successfully and once it has downloaded the updater, it runs that and quits itself.
The updater than runs, installs its payload into the original installation directory and restarts the (hopefully updated) application.
Still: The process is hairy and you better think twice before implementing an Auto Update functionality on the Windows Platform when your application has a wide focus of usage.
in php, the thing is easy:
<?php
if (version_compare($_GET['version'], "1.4.0") < 0){
echo "http://www.example.com/update.exe";
}else{
echo "no update";
}
?>
if course you could extend this so the currently available version isn't hard-coded inside the script, but this is just about illustrating the point.
In your application you would have this pseudo code:
result = makeHTTPRequest("http://www.example.com/update?version=" + getExeVersion());
if result != "no update" then
updater = downloadUpdater(result);
ShellExecute(updater);
ExitApplication;
end;
Feel free to extend the "protocol" by specifying something the PHP script could return to tell the client whether it's an important, mandatory update or not.
Or you can add some text to display to the user - maybe containing some information about what's changed.
Your possibilities are quite limitless.
My Qt app just uses QHttp to read tiny XML file off my website that contains the latest version number. If this is greater than the current version number it gives the option to go to the download page. Very simple. Works fine.
I would agree with #Martin and #Pilif's answer, but add;
Consider allowing your end-users to decide if they want to actually install the update there and then, or delay the installation of the update until they've finished using the program.
I don't know the purpose/function of your app but many applications are launched when the user needs to do something specific there and then - nothing more annoying than launching an app and then being told it's found a new version, and you having to wait for it to download, shut down the app and relaunch itself. If your program has other resources that might be updated (reference files, databases etc) the problem gets worse.
We had an EPOS system running in about 400 shops, and initially we thought it would be great to have the program spot updates and download them (using a file containing a version number very similar to the suggestions you have above)... great idea. Until all of the shops started up their systems at around the same time (8:45-8:50am), and our server was hit serving a 20+Mb download to 400 remote servers, which would then update the local software and cause a restart. Chaos - with nobody able to trade for about 10 minutes.
Needless to say that this caused us to subsequently turn off the 'check for updates' feature and redesign it to allow the shops to 'delay' the update until later in the day. :-)
EDIT: And if anyone from ADOBE is reading - for god's sake why does the damn acrobat reader insist on trying to download updates and crap when I just want to fire-it-up to read a document? Isn't it slow enough at starting, and bloated enough, as it is, without wasting a further 20-30 seconds of my life looking for updates every time I want to read a PDF?
DONT THEY USE THEIR OWN SOFTWARE??!!! :-)
On the server you could just have a simple file "latestversion.txt" which contains the version number (and maybe download URL) of the latest version. The client then just needs to read this file using a simple HTTP request (yes, to port 80) to retrieve http://your.web.site/latestversion.txt, which you can then parse to get the version number. This way you don't need any fancy server code --- you just need to add a simple file to your existing website.
if you keep your files in the update directory on example.com, this PHP script should download them for you given the request previously mentioned. (your update would be yourprogram.1.2.4.exe
$version = $_GET['version'];
$filename = "yourprogram" . $version . ".exe";
$filesize = filesize($filename);
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: post-check=0, pre-check=0");
header("Content-type: application-download");
header('Content-Length: ' . $filesize);
header('Content-Disposition: attachment; filename="' . basename($filename).'"');
header("Content-Transfer-Encoding: binary");
This makes your web browser think it's downloading an application.
The simplest way to make this happen is to fire an HTTP request using a library like libcurl and make it download an ini or xml file which contains the online version and where a new version would be available online.
After parsing the xml file you can determine if a new version is needed and download the new version with libcurl and install it.
Just put an (XML) file on your server with the version number of the latest version, and a URL to the download the new version from. Your application can then request the XML file, look if the version differs from its own, and take action accordingly.
I think that simple XML file on the server would be sufficient for version checking only purposes.
You would need then only an ftp account on your server and build system that is able to send a file via ftp after it has built a new version. That build system could even put installation files/zip on your website directly!
If you want to keep it really basic, simply upload a version.txt to a webserver, that contains an integer version number. Download that check against the latest version.txt you downloaded and then just download the msi or setup package and run it.
More advanced versions would be to use rss, xml or similar. It would be best to use a third-party library to parse the rss and you could include information that is displayed to your user about changes if you wish to do so.
Basically you just need simple download functionality.
Both these solutions will only require you to access port 80 outgoing from the client side. This should normally not require any changes to firewalls or networking (on the client side) and you simply need to have a internet facing web server (web hosting, colocation or your own server - all would work here).
There are a couple of commercial auto-update solutions available. I'll leave the recommendations for those to others answerers, because I only have experience on the .net side with Click-Once and Updater Application Block (the latter is not continued any more).