Enjoy unlimited access to all forum features for FREE! Optional upgrade available for extra perks.

EPP and SSL certificate

Discussion in 'Nominet Tag Holders' started by redbird, Jan 28, 2008.

Thread Status:
Not open for further replies.
  1. redbird United Kingdom

    redbird Well-Known Member

    Joined:
    Sep 2005
    Posts:
    1,180
    Likes Received:
    27
    According to Nominet for EPP I need the following

    "...In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available from www.verisign.com..."

    I've never had the need for a SSL certificate before so its all a bit of a mystery to me and the price range between the different certificates is enourmous.

    Can anyone tell me if the GoDaddy Standard SSL (Verifies domain control & secures your site). Single - Just $24.99/yr is sufficient before I part with my hard earned cash?

    Thanks


    Dave
     
  2. Domain Forum

    Acorn Domains Elite Member

    Joined:
    1999
    Messages:
    Many
    Likes Received:
    Lots
    IWA Meetup
     
  3. bb99 United Kingdom

    bb99 Well-Known Member

    Joined:
    Mar 2005
    Posts:
    1,614
    Likes Received:
    38
    I think there was something on the Nominet EPP mailing list about this a while back Dave... I can't remember the specifics (and I've long since deleted it) but I came away under the impression that you do not need to buy an SSL cert in order to use EPP. Even though the Nominet documentation gives you the impression that you do, you don't.

    I may have mis-remembered that though!
     
  4. monaghan United Kingdom

    monaghan Well-Known Member

    Joined:
    May 2007
    Posts:
    2,126
    Likes Received:
    78
    The root certificate should be in most browsers, however if you code is not using a browser component for SSL handling, then you may have to create a copy of the root certificate in order to use this within your SSL library.
     
  5. Jeewhizz

    Jeewhizz Well-Known Member

    Joined:
    May 2006
    Posts:
    1,174
    Likes Received:
    18
    Is the right answer :)

    If you are connecting via Curl on a normal linux system, this will already have it :)
     
  6. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,414
    Likes Received:
    55
    I didn't know it was the same one the browsers used, but makes sense. Verisign have 2 G3 root certificates, as the browsers do, so I've assumed it's the latest version.

    Would be useful for Nominet to clarify what and how these are used. It took me ages trawling through verisigns site to even find these. Instead the Nominet page has a basic redirect to the main verisign page and no additional information

    No, they cost nothing, which is why they're probably hidden!

    AFAIK they're an option, not a requirement, for connecting over SSL to the EPP. Just a way of confirming the EPP's signature. Though in the EPP mapping and documentation I can't see how/where they're used.

    Stephen
     
  7. Jeewhizz

    Jeewhizz Well-Known Member

    Joined:
    May 2006
    Posts:
    1,174
    Likes Received:
    18
    You sound suprised Stephen! ;)
     
  8. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,414
    Likes Received:
    55
  9. redbird United Kingdom

    redbird Well-Known Member

    Joined:
    Sep 2005
    Posts:
    1,180
    Likes Received:
    27
    Thanks guys for the posts.

    I was only expecting an answer in $'s so really glad I asked the question before spending money. Haven't had chance to try connecting via SSL to EPP server yet to see what response I get as my router decided to reboot and so I need to register new IP at Nominet which only updates overnight.


    Dave
     
  10. redbird United Kingdom

    redbird Well-Known Member

    Joined:
    Sep 2005
    Posts:
    1,180
    Likes Received:
    27

    I see Nominet have changed their wording :)

    ".....In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers)....."
     
  11. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,414
    Likes Received:
    55
    you can also get it from the ca-bundle.crt file when you download curl.

    Speaking of which. Anybody got EPP to work with curl. Other EPP registrars work, damned if I can get this one to. Hate the way it dumps the greeting at you.

    Does anyone else get this in the greeting as well?

    S
     
  12. Jay Daley New Zealand

    Jay Daley Active Member

    Joined:
    Jan 2005
    Posts:
    349
    Likes Received:
    12
    We don't explain them because they are a standard function of SSL.

    Yes you do need to use SSL to connect to our EPP server and yes you need the root cert in order to use SSL.
     
  13. macooper

    macooper New Member

    Joined:
    Apr 2005
    Posts:
    1
    Likes Received:
    0
    Thats incorrect. You do need to use SSL to connect, but as stated in the EPP documentation, you only need the root cert if you want to verify the certificate presented by the EPP server. If your happy enough to run without verifying the certificate, you can connect and login to the live system without any problems.

    The easiest way to communicate with the EPP server is to use php with the openssl extension (not curl, it's a nightmare to use). Just use the code

    PHP:
    $epp = @fsockopen('ssl://epp.nominet.org.uk'700$errno$errstr100)
    to establish the connection, then read the welcome XML and start sending your XML commands (login etc.).
     
  14. DaveH United Kingdom

    DaveH Active Member

    Joined:
    Apr 2008
    Posts:
    586
    Likes Received:
    7
    Took me ages to work this out, seem the first 4 bytes are some kinds of header, so in my code I simply ignore the first 4 bytes. Works a treat.
     
  15. tifosi United Kingdom

    tifosi Well-Known Member

    Joined:
    Oct 2004
    Posts:
    3,414
    Likes Received:
    55
    There's a point to the first 4 chars (32bit header) which means they contain the package length. Translating this makes reading the EPP response more efficientl.

    Commands TO the EPP should also contain this 32bit header.

    www.ietf.org/rfc/rfc4934.txt?number=4934
     
  16. DaveH United Kingdom

    DaveH Active Member

    Joined:
    Apr 2008
    Posts:
    586
    Likes Received:
    7
    Ah ok, I wasn't sure if Nominet EPP system was actually rfc4934. I seem to remember reading somewhere that it wasn't.

    Thanks for the specification, I'll have to ensure my commands also provide the header (which they currently don't) :)
     
Thread Status:
Not open for further replies.