EPP and SSL certificate

[redbird]

According to Nominet for EPP I need the following

"...In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available from www.verisign.com..."

I've never had the need for a SSL certificate before so its all a bit of a mystery to me and the price range between the different certificates is enourmous.

Can anyone tell me if the GoDaddy Standard SSL (Verifies domain control & secures your site). Single - Just $24.99/yr is sufficient before I part with my hard earned cash?

Thanks


Dave

 

[bb99]

I think there was something on the Nominet EPP mailing list about this a while back Dave... I can't remember the specifics (and I've long since deleted it) but I came away under the impression that you do not need to buy an SSL cert in order to use EPP. Even though the Nominet documentation gives you the impression that you do, you don't.

I may have mis-remembered that though!

 

[monaghan]

The root certificate should be in most browsers, however if you code is not using a browser component for SSL handling, then you may have to create a copy of the root certificate in order to use this within your SSL library.

 

[Jeewhizz]

The root certificate should be in most browsers, however if you code is not using a browser component for SSL handling, then you may have to create a copy of the root certificate in order to use this within your SSL library.

Is the right answer

If you are connecting via Curl on a normal linux system, this will already have it

 

[tifosi]

I didn't know it was the same one the browsers used, but makes sense. Verisign have 2 G3 root certificates, as the browsers do, so I've assumed it's the latest version.

Would be useful for Nominet to clarify what and how these are used. It took me ages trawling through verisigns site to even find these. Instead the Nominet page has a basic redirect to the main verisign page and no additional information

No, they cost nothing, which is why they're probably hidden!

AFAIK they're an option, not a requirement, for connecting over SSL to the EPP. Just a way of confirming the EPP's signature. Though in the EPP mapping and documentation I can't see how/where they're used.

Stephen

 

[Jeewhizz]

Though in the EPP mapping and documentation I can't see how/where they're used.

You sound suprised Stephen!

 

[tifosi]

hmmm...

You can either export them from your browser or go here...

https://www.verisign.com/repository/root.html

There's 2 class3 certs, probably safest one is the G3 (1999 - 2036).

S

 

[redbird]

Thanks guys for the posts.

I was only expecting an answer in $'s so really glad I asked the question before spending money. Haven't had chance to try connecting via SSL to EPP server yet to see what response I get as my router decided to reboot and so I need to register new IP at Nominet which only updates overnight.


Dave

 

[redbird]

According to Nominet for EPP I need the following

"...In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available from www.verisign.com..."

I see Nominet have changed their wording

".....In order to verify the identity of the secure server you will need the 'Verisign Class 3 Public Primary Certification Authority' root certificate available free from www.verisign.com (the certificate is also distributed with most web browsers)....."

 

[tifosi]

you can also get it from the ca-bundle.crt file when you download curl.

Speaking of which. Anybody got EPP to work with curl. Other EPP registrars work, damned if I can get this one to. Hate the way it dumps the greeting at you.

Does anyone else get this in the greeting as well?

´<?xml version="1.0" encoding="UTF-8" standalone="no"?>

Notice the first character '

S

 

[Jay Daley]

AFAIK they're an option, not a requirement, for connecting over SSL to the EPP. Just a way of confirming the EPP's signature. Though in the EPP mapping and documentation I can't see how/where they're used.

We don't explain them because they are a standard function of SSL.

Yes you do need to use SSL to connect to our EPP server and yes you need the root cert in order to use SSL.

 

[macooper]

Yes you do need to use SSL to connect to our EPP server and yes you need the root cert in order to use SSL.

Thats incorrect. You do need to use SSL to connect, but as stated in the EPP documentation, you only need the root cert if you want to verify the certificate presented by the EPP server. If your happy enough to run without verifying the certificate, you can connect and login to the live system without any problems.

The easiest way to communicate with the EPP server is to use php with the openssl extension (not curl, it's a nightmare to use). Just use the code

$epp = @fsockopen('ssl://epp.nominet.org.uk', 700, $errno, $errstr, 100)

to establish the connection, then read the welcome XML and start sending your XML commands (login etc.).

 

[DaveH]

you can also get it from the ca-bundle.crt file when you download curl.

Speaking of which. Anybody got EPP to work with curl. Other EPP registrars work, damned if I can get this one to. Hate the way it dumps the greeting at you.

Does anyone else get this in the greeting as well?



S

Took me ages to work this out, seem the first 4 bytes are some kinds of header, so in my code I simply ignore the first 4 bytes. Works a treat.

 

[tifosi]

There's a point to the first 4 chars (32bit header) which means they contain the package length. Translating this makes reading the EPP response more efficientl.

Commands TO the EPP should also contain this 32bit header.

www.ietf.org/rfc/rfc4934.txt?number=4934

 

[DaveH]

Ah ok, I wasn't sure if Nominet EPP system was actually rfc4934. I seem to remember reading somewhere that it wasn't.

Thanks for the specification, I'll have to ensure my commands also provide the header (which they currently don't)