Bitcoin Forum

Important reminder - back up your .blackmarket3.rsa private key file NOW.

I've made quite a few updates over the last week on both the server and python client.

Firstly for the server there is this (http://forum.bitcoin.org/index.php?topic=12979.msg179189).

Client
Motions
With thanks for kokjo for fixing the motions bug. You can now view the contents of all motions without any errors.

List assets
Using the command line client you can see all the assets on the exchange.

Recall
For every who has issued shares they want to recall you can now do this, the recall command will take issued assets out of circulations, the ones in the issuers account.

See your History
Specify your transaction history (using the command line client), see as many entries in bitcoin, asset, and market history as you like.

And finally, the big piece of news, this is what has been keeping me up at night.

Web based client
With much thanks to Jere Jones (who has been well paid for this task)


Start here (http://dev.glbse.com:4567/client/index.html)

If you already have a glbse account you want to login, not register.

Written as a single html page, the web based client performs most (not all) the functionallity of the command line. For the average user/issuer it will cover all their needs, and compared to bmc.py, it's soooo pretty.

And best of all, it handles bitcoin as normal decimal instead of the more difficult to use int64(as is still the case with bmc.py)

Using the web based client

If you already have an account on GLBSE, then you'll probably want to use that.

Firstly get your account number, bmc.py user
Then you will need your unencrypted private key.

Your key is probably not unencrypted so to unencrypt it you must:

RSA file decrypt using openssl
Make sure you're in the same directory as your .blackmarket3.rsa file
replace mypass with your password

.blackmarket3-non-AES.rsa contains your private key, copy pasta to the textbox and enter your userid, and hit login.

Your private key is not at any time sent to the server.

Register
The secure way to register is to generate your own public-private RSA keypair using openssl(if it's installed on your system), and then copy/paste them in before hitting register.

See here for more info on how to do that (http://www.ghosthack.com/2007/01/openssl-generate-public-private-key.html), but forget the -des3 part from that.

The unsecure method is to have our server do this for you and fill in the fields automatically by pressing the Generate new keypair.

It's handy but remember, all that information is sent in plain text over the internet so anyone listening (ECHELON) will have a copy. You're choice.

And don't lose that information, keep your private key safely stored, and don't lose your user id.

You can start trading with the client right now.

Start here (http://dev.glbse.com:4567/client/index.html)

Oh by the way, private key formating is important.
Should be on a newline.

p.s. please don't melt my server, be understanding, sometimes the client is a little slow(often the server is slow).

Nefario

I'll need to take a closer look at this later. Good work on the site over the past 2 weeks or so Iv seen you ever active in the development of the site.

Good work!

this is what i get back when typing in command line.  yes i used my "name" and "mypass" but want to hide them here:


C:\Users\name>openssl rsa -in .blackmarket3.rsa -out .blackmarket3-non-AES.rsa -passin pass:mypass
'openssl' is not recognized as an internal or external command,
operable program or batch file.

try openssl.exe, or try to put the full path to the openssl executable.

in that case do the private key and executable have to be in the same folder?

Damn !!!

I managed to overwrite my existing .blackmarket3.rsa when I was prepping to try the web client.

What's the process for recovering the account it was attached to ?

I know the user ID and the password. I can also state exactly what the current contents of the folio is. I can also tell you what the deposit address was.


* Can I also get a bug raised to cover the python client shouldn't write the .blackmarket3.rsa file, if one already exists. *

Uh. Transferring private keys over plain HTTP? No thanks.

If you've already got an account, and have your private key decrypted on your local machine then it's not sent at all.
It's a javascript version of the python client, it signs all messages with your private key, the messages are sent to the server and verified by your public key.

As I said, the key generation is there for convienience, security minded people wont use it, it's optional.

Ouch, no process.

The private key is the only way to prove you own an account, the password only encrypted your private key on your local machine.

How much bitcoin did you have in the account?
pm me all your account details.

Wow, i'm in.  but before i look around, what are the commands to re-encrypt my key?

one other thing; do i have to do this process everytime i sign in? :-\

very nice.  how about "balance"?

I had this same problem on my Win 7 machine, but got it fixed.

I dug around my HD and found a directory called "OpenSSL-Win32" inside that there is a directory called "bin". I went in there and found the openssl.exe file. I copied my blackmarket3.rsa file into the bin directory and then just used the same command nefario posted "openssl etc etc" and it worked fine.

PM sent. Thanks.

This.



Mine shows in the upper left corner of my screen.

you're right; there it is.
so do we have to reenter previously existing orders?

so each time we login do we have to retrieve our user id and pgp key?

wait a minute.  logged out and now can't log back in using same user id and unenrypted private key.  get an "invalid rsa private key" message and then it locks up in "Executing" mode.

Yes, think of it as a long username and password. keep them in a textfile.

And yes you need to re-enter your orders.

yeah, confirmed problem.  got in initially, looked around, set up a new order, all no prob.

logged off and tried to login again with same user id and unencrypted private key and now i get the above error. :(

Make sure your private key formatting is correct.

that before -----END RSA PRIVATE KEY----- has a newline.

wait, u mean this:

ajfaskdfjas;f;fadfl7+rqM34GBT4jIJ9dfi3if9llef90glBbYAn6nFpSUVCo954piqre
-----END RSA PRIVATE KEY-----



or this?:

ajfaskdfjas;f;fadfl7+rqM34GBT4jIJ9dfi3if9llef90glBbYAn6nFpSUVCo954piqre

-----END RSA PRIVATE KEY-----

It should be the first one.

Also make sure you are using your unencrypted private key.

i am using the first version and its unenrypted. ???
the strange thing is it worked fine initially and i got in and put up an order.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,F0CD17928C35A07E24D4B06D934A842D


this is at the beginning of private key.  its still not encrypted is it?

I'll give you a hint, it has the word "ENCRYPTED" in it  ;)

precisely why i asked ;)  i thought that since i can now see this huge wall of text that it was no longer encrypted. 

ok, the original command line de-encryption you gave me referenced the private key file with a .rsa extension.  that extension is now gone when i look at it in Windows Explorer.  it's now named .blackmarket3.  how do i modify your original command line?:

openssl rsa -in .blackmarket3.rsa -out .blackmarket3-non-AES.rsa -passin pass:mypass

".blackmarket3-non-AES.rsa" is the location where openssl printed the non-encrypted private key

.blackmarket3.rsa was not over-written
if you wish to get rid of the unencrypted private key... you PROBABLY (don't quote me or jump the gun) securely delete the ".blackmarket3-non-AES.rsa" file

Thank You Boonie, my man!  geez, i found it in the Recycle Bin after trying to clean up.   ;D

Thanks, been waiting for the web interface to purchase some shares.

One request, is that you have a list of the active Tracker Symbols.

Phil

Something like "Assets I'm watching" sort of thing?

Holy god...
Fantastic.
Really nice to work with web client.
You made it easy as eating a cake.
Thank you very much.

Haha.

This is by far the best compliment I've gotten for the web interface.

Credit to Jere Jones the dev who wrote it for me.

He was good to work with , and I'll work with him again in the future.

The latest command line client does have some functionality that the web client does not.

Where is the .blackmarket3.rsa for windows?

C:\Users\YOURUSERNAME

Is my share rate is 2 btc now????

You ran out of shares?

no, still ~200 shares left.
the web cleint says last price is 2.000000 BTC.
ASK is 2.1 btc

But if you are charging 1 BTC how last price is 2?

O.o

Bug?

Only Nefario can answer

http://i53.tinypic.com/25gqla0.jpg

i fail to see any inconsistencies here?  so the last share sold @ 2 BTC.  your current bid and ask are just spread around that price.  you should be happy about that since as i recall weren't u selling them for 1 BTC?

yes, i am selling for 1 btc. but still there are shares left.
before that my share value increased?
I so far heard, share value increases after they sold out.
But there are ~280 left to sell from my issue of 1000 shares.

did u repost your shares up right away?   maybe a share sold for 2 btc before u put up the 280 from the ipo?

I don't understand what u saying by put up...

I issued 1000 shares as IPO on May 10 2011 & so far only 720+ sold. & the bitcoin i got was 720+ only.

when the new GUI went up yesterday, all old standing orders got cancelled.  unless u put those old ipo shares back up for sale right away, other orders could've gotten executed above 1 BTC.

Seemly you actually sold everything.

dishwara, there are no outstanding asks at 1 btc, so there looks like at least one share was sold at 2 btc. That's why the last price is 2 btc.

Oh... Dishwara, nefario deleted ALL orders...

You have to sell again your outstanding shares for 1 BTC.

:)



Now, back on topic: I cannot login on the site, my rsa is correctly decrypted (I even tested using wrong password to see if it would fail to decrypt), I checked the newline and everthing, but I still cannot login at all.

its actually pretty cool someone bought @2 btc

what is Asset ID?  UBX returns an error in GUI

Works for me, remember you need to be using FireFox or Google Chrome.

Someone actually bought a single share at 2BTC, and it happens to be the last trade, no bug.

Nefario.

I still cannot login!

What problem are you having?

I explained about 4 posts ago...

I followed the instructions for the web client, but it do not work.

I had no problems whatsoever. Are you sure you decrypted .blackmarket3.rsa?

Yes, I already wrote that... I even checked decrypting with wrong password (it failed) to see if there was a error somewhere, and checked the newlines, and checked the CR/LF issue between DOS and Unix file styles...

It just refuse to work.

my login won't work on my Mac Firefox but will on my Win7 Firefox.

Now that is interesting...


I am using Chrome on WinXP

I wonder if the browsers are sending the CR/LF in a different way according to the OS that they are housed...

i am using FF

For gods sake, why can't something that should be simple, ACTUALLY be simple.

Why are we cursed with...cross platform differences!!!!

I am using google chrome always.
Win 7 , 64 bit. I access all features in web client.

I too got after some time can't able to login, it gave error in a windows with text "object [object]"
Since the decrypt key contains un countable characters, even a mistake with clicking space key will change everything.
So, i deleted the file & again decrypt file & this time before opening, i made it READ ONLY & then opened with notepad & everything is smooth so far.

I need to make this easier to use!!!!

I guess so...

Finding the private key here was kinda a hassle (because in WinXP C:\USERS do not exist... specially in portuguese language edition).

To search any file in mountains of files i have, i use locate32 from this site.
http://www.locate32.net/
It is a very small portable program, works faster than windows search.

Nefario,

when we logout we get taken back to login window with user id and private key still filled in.  this secure data should disappear.  even when i refresh the screen its still all filled in.

That's your browsers cache, the private key is never sent to the server.

By the way, were working on a way of making this easier, turning it into a saved html page acceisble through a bookmark.


speeder, could you post the first 3 lines from your private key, that include the RSA header and the line just below it please.

Nefario

That is not my key (I am in another computer right now)

but it looks more or less like that

-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDfnaXDy9v4q8PfV ....
-----END RSA PRIVATE KEY-----



Important to note, it DOES NOT have the "ENCRYPTED" word on it.

I have added subticker symbols to the exchange.
You can now have sub ticker symbols.

For example the ticker mineco can have assets with the ticker symbol mineco.july, and mineco.aug and so on.

The symbols work in a way similar to domain names only backwards. The base symbol is first followed by the sub symbol.

Only the owner of the base ticker symbol can add a sub ticker using that ticker.

Using the register ticker, enter the full ticker to set the name. So if you want an asset with the ticker mineco.sept then enter the full name in.

Nefario.

I have used the open ssl (http://www.ghosthack.com/2007/01/openssl-generate-public-private-key.html) and deleted the -des3 part.

I ran the Private only and the Public from Private-
I now have 2 files, private.pem and public.pem

I registered with the copy/paste of these 2 files and noted the generated userid-

I attempted logging in with my userid and paste of my Private.pem

I get the Executing message followed by a FF error pop up as follows:

http://i52.tinypic.com/28k7qzo.png

I have done something wrong? Can it be my FF version? 3.6.17

many thanks!

nice client, couple suggestions:

list all assets on market
search/list asset by ticker

Is the server up?
I'm trying to figure out if the server is down or if I have a problem internally.

The official site says thatthe server is down during reparations.

Ah thanks!

Yeah, market is down ATM while I beef up security.

Nefario.

Hey Peter, did a code review trying to find areas that might be exploitable, made a few changes(nothing big AFAICT).
And adding security.

Trying to separate and comparmentalise different areas of functionality, kind of defence in depth.

To be honest I'm not an expert in implementing these things, which is one of the reasons it's taken so long.

The other reasons being that moving onto another machine was more work than planned, I'd not documented the setup process.

Coming along though, glbse.com is now all https. Now need to make the changes to the clients.

Will have the system up for maybe a day before I put any bitcoin in it. Just in case.

I'm also having someone check it over.

Nefario.

Is Doctor Nefario a trusted CA Root Certificate Issuer?  ;)
My browser says the certificate isn't trusted and that the certificate does not match the URL.

But out of curiosity and in all seriousness (on my part, other people may have other reasons), are you going to be getting a different ("trusted") certificate?

Non techies die at this point.
Huh?

What? ???

Solved my problem!

Thanks!

is there a problem with the generate new key pair when registering on the web because every time i try it i get a blank pop up with an ok button, and when i click that nothing happens.

The web client now instead of giving a error message, it just do nothing.

Amy chance that we can buy/sell fractional amounts of shares?

eturnerx fractional shares are not sold fractional on purpose on stock exchanges.


When a company want to make "fractional" shares they just issue trillions of shares (like Brazillian console manufacturer TecToy... each share is right now 0.01 USD)

Actually no - it dates back to the issuance to stock certificates. However I have different reasons for asking Nefario.

What?

You've spotted my cunning plan.... shhhhh!  ;)

Just wanted to make sure Nefario wasn't going to sweep the rug out under the idea by bringing in fractional share trading.

A mutual fund is still a good idea, even with fractional share trading...I think the two should be independent. MF's primarily benefit those who cbf managing their own stocks, so they trust someone who cares. There are others with little capital that would love to put whatever they have in a stock.

I can't think of a reason why bitcoins cannot pioneer the way into fractional stock systems, since dividends are paid out by share % anyway. Buying "1 share for 12 btc" is fairly straightforward, but it's not too much of a stretch to say "buy me 1 btc's worth of the stock", and getting 0.08333 shares from someone who's simply selling. No different to the bitcoin exchange imo.

I wana put bitcams.com up there but people keep asking me about the certificate? Can you give me an explanation about why it doesn't exist? Great job on the site otherwise.

I use GLBSE, but am not affiliated with them. GLBSE uses a self-signed certificate, which means GLBSE did not pay a third party to sign the certificate. what this means is that you get a nasty warning from most web browsers because of some of the disadvantages of a self-signed certificate I will explain later. while these disadvantages are a potential risk, a self-signed certificate CAN be secure and IS safer than not having a certificate. a self-signed certificate allows you to communicate with the site securely without the cost associated of a trusted certificate authority.

that said the disadvantages of a self-signed certificate are:
-you must trust the certificate that you are presented is good (you can add it as a permanent exception, which will be used by your browser for future comparison)
-you must trust that when the certificate changes that it was not changed by a malicious third party such that they can eavesdrop on or from the secure connection with the site

compared to a trusted certificate where
-you must trust that a disinterested third party (trusted by your browser) trusts the certificate AND that the site and the third party have not been compromised
-you must trust that when the certificate changes that the disinterested third party (trusted by your browser) trusts the certificate AND that the site and the third party have not been compromised

EDIT:
there are ways to get free trusted certificates, so those are definitely worth looking at

Good question about the self signed cert.

I threw that up after the Mt.Gox fiasco, didn't wan't to wait at the time for a cert authority to get back to me with it.

With the crisis over(taking glbse down to harden it) I now have time to get around to fixing these issues, so we're going to get a signed cert.

From a security point of view, self signed is actually better(I think) but it throws up that horrible warning. I know what the warning is and normally click through but others might not.

Also a big update on the web client is on the way later today.

Nefario.

Update of the webclient is now live, now it allows you to securely keep the keys for multiple accounts stored on your local machine in the browser.

https://glbse.com/client/glbse/index.html

The old client is available here if you prefer.

https://glbse.com/client/glbse_old/index.html

If there are any issues post them in any one of these threads, I'm watching them.

http://forum.bitcoin.org/index.php?topic=13055.80

http://forum.bitcoin.org/index.php?topic=19853.0

I appologise to anyone who didn't get your issues fixed in a timely manner over the last week, that is totally my fault.

Currently I'm the only one who is in a possition to resolve those issues, and was traveling for a few days. This is something We're hoping to resolve as we go forward.

Nefario.

Nice work.
But, when i try to see the tally in motions, a window showing Executing appears & it doesn't show the votes.
Just only Executing is displayed for hours & nothing happens.

Also master password or main password is showing characters instead of *** or dots. make it hidden behind asterisk

I still cannot use it :(

My key:


-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA9YUSAeRE4xCVMfOhqtrCR16mrKJqO6OzYSgU9Ilkb8qvEW49

...

EvJAJ9AAsBOzIBuW+ofZq9C4RCJnR8d5F58eZ6OKFFM5cyZwFJsHL+JN8F7n5bsP
o9ulSof9bKwnQSfm56Ih4hTgvo6gARGSjoF9BYpfcBTQXLjlKtOTsQ==
-----END RSA PRIVATE KEY-----


And I still cannot login at all :( It says the key is incorrect.

Are there any shares/bitcoin in your account?

How long has it been like this(I seem to remember you had the same issue before with the older web client)?

Are you able to create a new account and use that(with this client you can easily manage multiple accounts)?

What browser and OS are you using?

Nefario.

I'll see about making that change.

Just so we're clear, the private keys are stored in the browsers local db using html5 and encrypted using AES with a password derived key, you can inspect the source, it's all there in Javascript, the private key never goes to the server.

Yay!

I found the issue...

The user key had a extra invisible character (probably a space or a alt + 255)


>.<

So this was whitespace or something like that after the keytext or within the keytext?

Please confirm if that was the case and I'll see what can be done to prevent that happening in the future.

Also just to let uses know we seem to be having some issues with voting at the moment.

Is anyone else having trouble seeing their orders, bitcoin/market/asset histories?

Nefario.

It was a whitespace after it. Or something like that.

I did again a new bmc.py user copied all characters carefully (to not copy whitespace) and tried again, and THEN it worked.


Also for some reason, I spent a good time trying the user id "speeder", I forgot the user id was a string and for some reason it is not clear what the user id is.

OK, the new interface should make that easier for people, at most a password to remember (if they have one at all)

I'm having trouble reaching the "Orders" page, Assets History, and withdrawing funds from the account.

OK, that will be my first priority in the morning, fix orders/asset history etc ASAP. It's 3am here so I need to sleep.

Nefario.

https://glbse.com/client/glbse/index.html

i don't get this new page.  what are we supposed to do with it?

It gives SSL errors & clicking proceed opens the page with out problems.
Using google chrome.

Client's updated, fixed a few issues with withdrawls and other things.

SSL error is because it's a self signed cert, you can click through without any worries.

http://charts.glbse.com/markets/

says "Out of coins"

or

"Unhandled Exception
An unhandled exception was thrown by the application."

what does "Set Password" mean? as well as checkbox "do not protect password"?

The way it works is your browser will store your private keys for you, locally using html5. You have the option of having them stored encrypted, which would require a password to access them (in a readable manner) or leave them as plain text.

You can then have as many accounts as you like, it's now easy to manage multiple accounts.

There is also a backup and restore option to move your keys off that particular machine, and those backups can be encrypted or in plain text.

Nefario.

so as an existing acct owner, do i want to Add existing acct or Import existing acct?

Hmm, that's something that needs to be changed to something more obvious.

You add an existing account, the import is if you've saved it to a backup textfile.

ok, accessing just fine.  nice layout.

why does my user id display differently in the GUI than from what i have stored locally?

I've no idea, is it a problem?
I mean is it the same id displayed differently (bigger text?) or a different id?

its totally different.

not a problem except that when i thought i lost my user id last week, i hunted down a Google page cache of GLBSE that had the changed (incorrect) user id in it.  used in combination with my private key, i couldn't open my acct and i freaked out until i realized that it wasn't the real user id.

i too see different id.
DISHWARA acc key is 762ea30xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxb6a1ce

But i see 47df92xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx583328c97 in top.

same for other acc also. the key i got from dos mode is different than , key displayed on acc in web client.

i see the exact same user id:   "But i see 47df92xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx583328c97 in top. "

hmmmm, let me check this out.

Cancelling orders isn't working for me. I get the list of orders, click on the "cancel" button/image and nothing happens.

The user id issues been fixed, also cancel orders and transfer problems.
Still working on voting.

It's working for me now. Cheers.

No problem.

Still working on voting, such an odd error.

Voting is up and running, give it a try.

I'm getting a message about not having enough unreserved assets, cancel another order when i try to sell, even though I have no outstanding orders

I am creating an order to buy DISHWARA @ 0.550000 BTC & my order cannot be created & giving a pop message with object[object] as error.
But i can able to buy from already asked amount.
Why is that?

This happens only when buy price is 0.550000.
It doesn't happen when buy price is 0.500 or 0.59 or 0.600

Still happening?

yes, still happening. only for price 0.5500....

OK guys there is a problem with the webclient.
It's a JavaScript float issue.

Dishwara, although you're typing in 0.55000, what is actually being sent to the server is 55000000.00000001

This wont be fixed in the webclient for maybe 12 hours.

It's a pretty serious problem I think, one that for some reason has only come now(which is strange because it's also there on the first web client).

I'm closing the market for the next 12 hours until it's done.

Nefario.

LOL!

55000000 BTC to buy a share - may be in my next birth.

I like your sense of humor.

Market is back open, number problem has been fixed.

Sorry for the delay and downtime.

I get 28 bitcent, but I dont know from what assent. How can I know?

I'm working on this today.

I tried to access my account today by giving password, it gave me a lengthy error that some procedure are missing(i didnt notice it fully), then i pressed "GO" & it logged me in. But there is no accounts. So, i added my accounts with id & key & checked asset DISHWARA.
In twitter it is displayed as sell:1@10000000:DISHWARA:1310782590 & sell:1@45000000:DISHWARA:1310782256.
But when i checked in asset DISHWARA its not there.
Is site working wrongly or some one hacked?


I sent you a pm, for which i didn't got any reply.

I didn't get a pm.

I'm checking now.

Nefario.

I resent you pm.
Now when i try to access my account, i get [object Object] error & balance shows retrieving always.
Clicking the circular arrow gives [object Object] pop up message.

I use terminal glbse, but the balance get an HTML error:

Why can't I see my balance?

+1

i cannot get in using my password that i setup around 3 wks ago.

i can get in "Adding an Existing Account" by inserting my user id and private key.

when i do get in my balance says "Retrieving..." with a refresh arrow.

when i click on Balance i get the "[object Object]" error everyone else gets.

attempted orders returns error [object Object].

I get the same "error [object Object]."  I am trying to withdrawal and get the same.  Seems the client is broken and there is no way to withdrawal.  Anyone else see this?  Is there another method?

Nefario should be back online within a day and will hopefully be able to resolve this quickly once he is.

I haven't been able to withdrawal for a few weeks - chalked it up to all the upgrades, but wouldlove to see it fixed!

is there no one else associated with glbse that can get this fixed so the rest of us can resume trading and access our accts?

Where is Nefario?

Unfortunately, not really at this time.

I have copies of a bunch of the server/development passwords etc, but I'm not a coder or involved with development. I've got them so I can find someone else to fill Nefario's shoes in the event something happens to him. Obviously not an ideal situation, and it's an issue we've discussed internally and recognize as a problem, but haven't been able to resolve yet. Annoyingly some error has cropped up at basically the worst time as Nefario is in transition moving between countries.

Hi,

I'm just after getting back online, I'm working on this now.

I'll keep you updated.

Alright folks, everything is back up and running. Bitcoind crashed on the server so anything to do with balances etc got choked. Should be running fine now.

The python client worked for an hour or so 8 hours back but now seems bust again. Has bitcoind crashed again ?

Errno::ECONNREFUSED: Connection refused - connect(2)

...Looks that way

Looks like the same error to me. 3:30am Nefario time so it'll be at least a little while before he gets to it.

No problem for me. I'm not in any rush - just wanted to make sure you were aware.

The error persists.

If you need, this is my user d4d66c97ee7e1adb70d81233cdc6d669edc3cca3da89be018efbc429ab58a331

Back up, again bitcoind had died.

I'll make sure to have this taken care of so it's not a problem in the future, in the meantime I will be watching it like a hawk.

Nefario.

Yeah! All works fine now. Than you, Nefario!

http://charts.glbse.com/markets/

Out of coins.

thanks for the heads up, I'll get on that ASAP.

Yeah that was a problem with bitcoincharts, he's got that working now.

Also, I'm happy to announce that for the web client, bitcoin history now shows which asset has paid a dividends.

All the history pages (bitcoin,asset,market) now show 15 entries instead of the default 5.

Please clear your browser cache and reload the webclient to use.

Nefario.

I have updated BMC Tools to reflect this change ... http://forum.bitcoin.org/index.php?topic=31174.msg394368

Much appreciated Ben.

We've now got an SSL Auth signed cert, no more nasty warnings  :D

If you're using the command line client check this.
http://forum.bitcoin.org/index.php?topic=32569.0

Anyone else seeing the following error ? ...

ben@ben-laptop2:~/bitcoin_stuff/bmc/black-market-client$ ./bmc.py balance
Enter passphrase:
Server error: server certificate verification failed. CAfile: server.crt CRLfile: none.

This is with a fresh local clone of the git project, as per below.

from what I can tell it's because openssl doesn't trust the certificate. I tried adding it to the windows trust store and that certainly did not help. i didn't try very hard, but I wasn't able to find the necessary openssl command. looking at the crt file, I didn't see a trust chain in it, so that might explain why it's not trusted.

The ssl cert (that's in the git project) isn't used now and the client has been changed to not verify ssl certificates. Try to get the latest version of bmc.py, Ive tried the client on debian and it works.

okay i stand corrected. it was a case of PEBKAC, apparently I still don't fully understand git. the latest commits weren't showing up in the tortoise-git log and doing fetches didn't help either. one of the descriptions of pull I had read made me hesitant to try that again. it's working for me with the latest commits from july 28. thanks.

Yep, the latest set of changes allow the client to work, without any verification of the SSL certificates.

However, I am interested in getting SSL certificate verification in the client working again, as that is important, particularly for software for trading.

I've spent some time researching and believe I have a reason for the problem ...

pycurl utilises libgnutls. We can utilise gnutls-cli to check what's going on when GnuTLS is used to connect to glbse.com server ...

ben@ben-laptop2:~/bitcoin_stuff/bmc/new_test/black-market-client$ gnutls-cli --x509cafile /etc/ssl/certs/ca-certificates.crt glbse.com
Processed 142 CA certificate(s).
Resolving 'glbse.com'...
Connecting to '195.200.253.239:443'...
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1024 bits
 - Secret key: 1023 bits
 - Peer's public key: 1023 bits
- Certificate type: X.509
 - Got a certificate list of 3 certificates.
 - Certificate[0] info:
  - subject `serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij,C=IE,O=glbse.com,OU=GT03597358,OU=See www.rapidssl.com/resources/cps (c)11,OU=Domain Control Validated - RapidSSL(R),CN=glbse.com', issuer `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA', RSA key 2048 bits, signed using RSA-SHA, activated `2011-07-26 20:43:11 UTC', expires `2012-07-28 13:33:05 UTC', SHA-1 fingerprint `06b65248bef97357fb9dfd648671261ee7f4ed9c'
 - Certificate[1] info:
  - subject `C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV SSL CA', issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', RSA key 2048 bits, signed using RSA-SHA, activated `2010-02-26 21:32:31 UTC', expires `2020-02-25 21:32:31 UTC', SHA-1 fingerprint `bae30b15dbb1544cf194d076b75b7bb9e3d6b760'
 - Certificate[2] info:
  - subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA', issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority', RSA key 2048 bits, signed using RSA-SHA, activated `2002-05-21 04:00:00 UTC', expires `2018-08-21 04:00:00 UTC', SHA-1 fingerprint `7359755c6df9a0abc3060bce369564c8ec4542a3'
- The hostname in the certificate matches 'glbse.com'.
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
*** Verifying server certificate failed...


This suggests the reason for the failure is a missing certificate in the chain presented by the glbse.com server.

So chain presented as a result of negotiation for GnuTLS is as follows ...

server certificate ...
subject `serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij,C=IE,O=glbse.com,OU=GT03597358,OU=See www.rapidssl.com/resources/cps (c)11,OU=Domain Control Validated - RapidSSL(R),CN=glbse.com'
issuer `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA'

intermediate certificate 1 ...
subject `C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV SSL CA'
issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA'

intermediate certificate 2 ...
subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA'
issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority'

So the chain is broken between the server certificate and intermediate certificate 1.

I believe that if the certificate with ...

subject `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA'
issuer `C=US,O=GeoTrust Inc.,OU=Domain Validated SSL,CN=GeoTrust DV SSL CA'

... is inserted into the presented chain between the server certificate and current intermediate certificate 1, then no additional certificates will need to be shipped with the client, as the `C=US,O=Equifax,OU=Equifax Secure Certificate Authority' certificate is present in the "standard" ca certificate bundle provided with most OSes.

This should just be a matter of configuration on the glbse.com server.

Same result can be concluded from an equivalent command for openssl ...

ben@ben-laptop2:~/bitcoin_stuff/bmc/new_test/black-market-client$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect glbse.com:443
CONNECTED(00000003)
depth=0 /serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij/C=IE/O=glbse.com/OU=GT03597358/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=glbse.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij/C=IE/O=glbse.com/OU=GT03597358/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=glbse.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij/C=IE/O=glbse.com/OU=GT03597358/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=glbse.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij/C=IE/O=glbse.com/OU=GT03597358/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=glbse.com
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
 1 s:/C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEvDCCA6SgAwIBAgIDApP8MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTEwNzI2MjA0MzExWhcNMTIwNzI4MTMzMzA1WjCB2TEpMCcGA1UEBRMgaWhi
ZUx2VTA4d0RjOFI5TDhXbkN4L3A4TlNscjMxaWoxCzAJBgNVBAYTAklFMRIwEAYD
VQQKEwlnbGJzZS5jb20xEzARBgNVBAsTCkdUMDM1OTczNTgxMTAvBgNVBAsTKFNl
ZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMgKGMpMTExLzAtBgNVBAsT
JkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlkU1NMKFIpMRIwEAYDVQQD
EwlnbGJzZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvA02I
8K86MzXzTMsSTkKquowPDvhBy+1PC+Dh0cEgRuVKY2VrG0RjVNph4oLRc8qoG/zp
6pKvNqXw2WJQnfLe2vIi6R8RF9XOihrb4Mt1Wx10sfQI5pj4pnwfb25PYm6iPQ3N
cp3V5J3Mh/ZLQROI8HEY+f6hbNFqD4dRmxjC6/fwhAEPOKWzbfgFAQvlcHUEsnfp
UuwlDAjlh4u9XWDKt7UCet0B0KGZeoIGOBTg0yd/6oxsC1pwUnK/wYymvm7Wg+C3
uW2JqcVJUhENQV0ug7V4XB2m3ZOsAJcxuCnpfYUvANEuVxuQtpqLzBh/IOMWpR45
s8uoiZmy0MwA3xs3AgMBAAGjggEnMIIBIzAfBgNVHSMEGDAWgBRraT1qGEJK3Y8C
ZTn9NSSGeJEWMDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEG
CCsGAQUFBwMCMBQGA1UdEQQNMAuCCWdsYnNlLmNvbTBDBgNVHR8EPDA6MDigNqA0
hjJodHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3Ns
LmNybDAdBgNVHQ4EFgQUP/o+0sHdsz2OVB4Jb75h3IkgIr8wDAYDVR0TAQH/BAIw
ADBJBggrBgEFBQcBAQQ9MDswOQYIKwYBBQUHMAKGLWh0dHA6Ly9yYXBpZHNzbC1h
aWEuZ2VvdHJ1c3QuY29tL3JhcGlkc3NsLmNydDANBgkqhkiG9w0BAQUFAAOCAQEA
oI0xm1JOZCCzJb0IXfu2q9aCm7BYNGqAvLyYddqBVNqGgiM5T4xiA1u+wKCHly+Y
dXn/WD90fTCvMyImTBDlWniJ5NurV7cPEQl7PhDZArwMPIyeRmeZRL4ir8glDGHg
3BK3v7do8H4v+JqmV832M5nn0gQnIKYH5q4Iiq7gE7Q8Nv4v9bTAu4TanGQzWM0+
SLYnBblYE/zS4mDPsw5fY63UOsTBw6/88KHFxzaNxQ7qgejn9lHkbNyHHiJSXz8K
jZ34Ns9xn0QpTPdjWc4O6bE2jTq0oD5GknU5tOds706hmI6BcOvuX+wCE0n19XgB
s+8uPV4vn6oGHedQ4G+AMw==
-----END CERTIFICATE-----
subject=/serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij/C=IE/O=glbse.com/OU=GT03597358/OU=See www.rapidssl.com/resources/cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=glbse.com
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3840 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 811D3E85204DFA23243755401CB5D600C3B25F15369B1F82D1355AEF9A5BC38E
    Session-ID-ctx:
    Master-Key: 19C2F072E2A174ADD41A9164FB5AD9C1811001A8796B4A8BDC65A1CEE28C9C3D0F9832FF5677627 CC1F737CBDB5F11D5
    Key-Arg   : None
    Start Time: 1312129418
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)



Thoughts ???

Compare with Google ...

ben@ben-laptop2:~/bitcoin_stuff/bmc/new_test/black-market-client$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect encrypted.google.com:443
CONNECTED(00000003)
depth=2 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify return:1
depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFCDCCBHGgAwIBAgIKPlKuxgADAAAsXDANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMTA3MTMwNTUwNDhaFw0xMjA3MTMwNjAwNDha
MGYxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRUwEwYDVQQDFAwqLmdv
b2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANolbE9Pl1R3CLfX
FMXlZJoIvv2548Ksuv4TWfna37sre4Ng7V3vVpwRT0oQteVPGUyiHj/HCqThg3Jz
TNUCFMwhYruXHLtCDO8bcJdvQzTsOKxtYNiopPW3817gbEkuHGhRxCTZtGXFu2Qa
TuQi8BRMzfxUNHPlNvZQAHaR0BadAgMBAAGjggLbMIIC1zAdBgNVHQ4EFgQUTNjK
1Y39on/YBjL7JosCkSI+oJswHwYDVR0jBBgwFoAUv8Aw6/VDET5nup6R+/xq2uNr
EiQwWwYDVR0fBFQwUjBQoE6gTIZKaHR0cDovL3d3dy5nc3RhdGljLmNvbS9Hb29n
bGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS5jcmww
ZgYIKwYBBQUHAQEEWjBYMFYGCCsGAQUFBzAChkpodHRwOi8vd3d3LmdzdGF0aWMu
Y29tL0dvb2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9y
aXR5LmNydDAhBgkrBgEEAYI3FAIEFB4SAFcAZQBiAFMAZQByAHYAZQByMIIBqwYD
VR0RBIIBojCCAZ6CDCouZ29vZ2xlLmNvbYIKZ29vZ2xlLmNvbYILKi5hdGdnbC5j
b22CDSoueW91dHViZS5jb22CC3lvdXR1YmUuY29tggsqLnl0aW1nLmNvbYIPKi5n
b29nbGUuY29tLmJygg4qLmdvb2dsZS5jby5pboILKi5nb29nbGUuZXOCDiouZ29v
Z2xlLmNvLnVrggsqLmdvb2dsZS5jYYILKi5nb29nbGUuZnKCCyouZ29vZ2xlLnB0
ggsqLmdvb2dsZS5pdIILKi5nb29nbGUuZGWCCyouZ29vZ2xlLmNsggsqLmdvb2ds
ZS5wbIILKi5nb29nbGUubmyCDyouZ29vZ2xlLmNvbS5hdYIOKi5nb29nbGUuY28u
anCCCyouZ29vZ2xlLmh1gg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS5h
coIPKi5nb29nbGUuY29tLmNvgg8qLmdvb2dsZS5jb20udm6CDyouZ29vZ2xlLmNv
bS50coINKi5hbmRyb2lkLmNvbYIUKi5nb29nbGVjb21tZXJjZS5jb20wDQYJKoZI
hvcNAQEFBQADgYEAs5zPchwKQuQNN1h+fPdcSUrzSFFXZ5VettWXTbTNKsikctEK
b6cFJKuFqaDa/e7pvxqvVckPRW58sRBpNZTyjbS9XUPHACAVq5f20sPo/Oo47pf/
oMq/xUN7RdgOn+oCoRZO856maRUT2WhrBNAKdZ7RqLihUP7zW+33i6c6Gzc=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 2144 bytes and written 307 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : RC4-SHA
    Session-ID: 5269009FC24EF94B0C80BE4C78369CAC34793554D0E09C90F1F3FD4471DACCA9
    Session-ID-ctx:
    Master-Key: D2F3F86EF29FA4F2A8675476E3546664D85DD819542104AB6F861C590CCC48CD98F4F5131918902 05F80D7CC7284A295
    Key-Arg   : None
    Start Time: 1312129735
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

Or Yahoo, with a longer chain ...


ben@ben-laptop2:~/bitcoin_stuff/bmc/new_test/black-market-client$ openssl s_client -CAfile /etc/ssl/certs/ca-certificates.crt -connect login.yahoo.com:443
CONNECTED(00000003)
depth=3 /C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
verify return:1
depth=2 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
verify return:1
depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
verify return:1
depth=0 /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
   i:/C=US/O=GTE Corporation/OU=GTE CyberTrust Solutions, Inc./CN=GTE CyberTrust Global Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGOzCCBSOgAwIBAgIQD1hJQVLDNUtt6+cgnnJuZzANBgkqhkiG9w0BAQUFADBm
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSUwIwYDVQQDExxEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBDQS0zMB4XDTEwMTIyMTAwMDAwMFoXDTEzMDEwMzIzNTk1OVowXjELMAkGA1UE
BhMCVVMxCzAJBgNVBAgTAkNBMRIwEAYDVQQHEwlTdW5ueXZhbGUxFDASBgNVBAoU
C1lhaG9vISBJbmMuMRgwFgYDVQQDEw9sb2dpbi55YWhvby5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALTxKoODwdPNbM4FrhBYCsIJVm/EtiqQxgHZFBcR
FR8jAKUTXG2rMlkgiAoDp5duez+omwAoULLt9UlRVe6NqBuDxjDcniUeMYyudwzi
ua5EzZGKFryr8kyfhrKz15V4HwDBI1weDHmLDSwuU2jKpUTR1b2jid3o/B95Fd1Z
aUTZAgMBAAGjggNvMIIDazAfBgNVHSMEGDAWgBRQ6nOJ2yn7EI+e5QEg1N55mUiD
9zAdBgNVHQ4EFgQUZwtdzLsVHOGRRhaepLJCXmrYCWMwPgYDVR0RBDcwNYIPbG9n
aW4ueWFob28uY29tgg5tYWlsLnlhaG9vLmNvbYISb3ZpLm1haWwueWFob28uY29t
MHsGCCsGAQUFBwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNl
cnQuY29tMEUGCCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20v
RGlnaUNlcnRIaWdoQXNzdXJhbmNlQ0EtMy5jcnQwDgYDVR0PAQH/BAQDAgWgMAwG
A1UdEwEB/wQCMAAwZQYDVR0fBF4wXDAsoCqgKIYmaHR0cDovL2NybDMuZGlnaWNl
cnQuY29tL2NhMy0yMDEwaS5jcmwwLKAqoCiGJmh0dHA6Ly9jcmw0LmRpZ2ljZXJ0
LmNvbS9jYTMtMjAxMGkuY3JsMIIBxgYDVR0gBIIBvTCCAbkwggG1BgtghkgBhv1s
AQMAATCCAaQwOgYIKwYBBQUHAgEWLmh0dHA6Ly93d3cuZGlnaWNlcnQuY29tL3Nz
bC1jcHMtcmVwb3NpdG9yeS5odG0wggFkBggrBgEFBQcCAjCCAVYeggFSAEEAbgB5
ACAAdQBzAGUAIABvAGYAIAB0AGgAaQBzACAAQwBlAHIAdABpAGYAaQBjAGEAdABl
ACAAYwBvAG4AcwB0AGkAdAB1AHQAZQBzACAAYQBjAGMAZQBwAHQAYQBuAGMAZQAg
AG8AZgAgAHQAaABlACAARABpAGcAaQBDAGUAcgB0ACAAQwBQAC8AQwBQAFMAIABh
AG4AZAAgAHQAaABlACAAUgBlAGwAeQBpAG4AZwAgAFAAYQByAHQAeQAgAEEAZwBy
AGUAZQBtAGUAbgB0ACAAdwBoAGkAYwBoACAAbABpAG0AaQB0ACAAbABpAGEAYgBp
AGwAaQB0AHkAIABhAG4AZAAgAGEAcgBlACAAaQBuAGMAbwByAHAAbwByAGEAdABl
AGQAIABoAGUAcgBlAGkAbgAgAGIAeQAgAHIAZQBmAGUAcgBlAG4AYwBlAC4wHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4IBAQBa
Ykl7g9l5hQQzV7XtIdpuNZrTLlJ5y1JUg/GmEbZ7b1kHhBErnibJ3VxgUxA1WUoC
SowYMxCv6E3no+AVe/dJsT3uORihPYyBYM1ST1cto3W/LN2oFCmVQ+PPO7Xje9NE
ZzcHOGHKIBDpA+mggT/Rypntbp9gZX3vuZ51ewxWmfm6w+s17G8kC8gVEyaxtTtV
EEJJquWwLQm5IonuGzMfT93ajAY04aNrJSUg4tzwlsBM6opebNP51jvr2xwecV22
YFFWlT2IK/Hgt5sShRLF87RfM/gfjSCi8g3a0p3CbXeBigaypv/MEGUkcWkfGxwn
fPjh72mmPGC70nR7ikji
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc./CN=login.yahoo.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
---
No client certificate CA names sent
---
SSL handshake has read 4474 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID:
    Session-ID-ctx:
    Master-Key: D8C808E8BCD16151231DFCEBC6AF1A8AACBA5B464AB5EB8DF5B7DF07C5E0BF7C1F42AF61328907B 8B2E94971760D3B35
    Key-Arg   : None
    Start Time: 1312129871
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)

I went checking on RapidSSL site for the relevant intermediate CA certificate and found an "installation checker" ... https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO9556

If you test glbse.com with that "installation checker", it confirms there is an invalid chain and details what resolution is required - you actually just need to replace your current intermediate certificate 1 with the one they provide in the report.

http://img694.imageshack.us/img694/2599/screenshot6xx.png

Download the required certificate from here - https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/David%20A./Rapidssl/Secondary%20Intermediate.txt

I had problems just copying and pasting from that text box of the "installation checker".

Your chain will then be ...

server certificate ...
subject `serialNumber=ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij,C=IE,O=glbse.com,OU=GT03597358,OU=See www.rapidssl.com/resources/cps (c)11,OU=Domain Control Validated - RapidSSL(R),CN=glbse.com'
issuer `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA'

intermediate certificate 1 ...
subject `C=US,O=GeoTrust\, Inc.,CN=RapidSSL CA'
issuer `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA'

intermediate certificate 2 ...
subject `C=US,O=GeoTrust Inc.,CN=GeoTrust Global CA'
issuer `C=US,O=Equifax,OU=Equifax Secure Certificate Authority'


Give me a yell once you've done that and I test it out for you.

Ben Walsh (beamer) better use web client.

Except for the warning (in Chrome) that "Your connection to glbse.com is encrypted with 256-bit encryption. However, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the behavior of the page."

The certificate is OK, though.

The web client is fine for humans, but I am developing applications to extend GLBSE functionality and utilise it as a backend for other services - so verification that those applications are really talking to the server they expect to be is very important.

Seconded.

One step at a time ;O)

I think it is just the twitter feed which is unsecured. Should just be a case of replacing the http://search.twitter.com URLs with https://search.twitter.com

Link to the Market Charts might also be a problem. I'd need access to the server itself to test.

Something which does puzzle me still is the chain presented to web browsers (I've checked with Chrome and Firefox) is as follows ...

server certificate ...
Subject : CN = glbse.com, OU = Domain Control Validated - RapidSSL(R), OU = See www.rapidssl.com/resources/cps (c)11, OU = GT03597358, O = glbse.com, C = IE, serialNumber = ihbeLvU08wDc8R9L8WnCx/p8NSlr31ij
Issuer : CN = RapidSSL CA, O = GeoTrust, Inc., C = US

intermediate certificate ...
Subject : CN = RapidSSL CA, O = GeoTrust, Inc., C = US
Issuer : CN = GeoTrust Global CA, O = GeoTrust Inc., C = US

root certificate ...
Subject : CN = GeoTrust Global CA, O = GeoTrust Inc., C = US
Issuer : CN = GeoTrust Global CA, O = GeoTrust Inc., C = US

... and that appears trusted by them. However, that isn't the chain presented to openssl and gnutls - is this because they are negotiating differently from the browsers ?


I note that the chains presented to web browsers for https://encrypted.google.com and https://login.yahoo.com matches the chains presented to openssl and gnutls. Weird.

I'm using nginx as a ssl frontend and have different servers behind(none of them doing ssl). The main purpose of having ssl is to protect peoples glbse forums passwords (please if you have a forum account have a unique password, don' reuse passwords).

GLBSE clients (both web and command line) send no useful or itentiffying information so there is no need for ssl for that, actually the entire server database could be stolen and it would still provide no more information than a bunch of transaction records, some bitcoin addresses and a big list of public keys. OK I'd like for all that information to stay private but still, thats your limit of personal data exposure when using GLBSE.

We dont keep emails or anything else. Oh we do keep access logs, i.e. so we can debug any problems and normal http logs.

With regards the Chrome warning, thats because we've got links to non-ssl resources on the home page (the feedback form for example, possibly even the twitter feed stuff).

Ben, you can go ahead and not worry about verification of the ssl cert for development ATM, I'll get that fixed by Friday (god I hate ssl certs).

as I mentioned earlier in the thread I'm certain it is just the twitter feed, at least with respect to firefox. it's pretty low priority in any case. having a redirect for the www sub-domain to primary domain would be a smidgeon higher on the list for trivial issues.

Yeah the www. redirect is a pain in the ASS.

My http server redirects all http traffic to https first, need to add www. to be redirected to non www before it does a https redirect.

I tried just doing the redirect as a cname in dns but hasn't worked.

I've dealt with redirects that were similar in complexity. it shouldn't be too hard if you are using apache, you just need to use the rewrite engine in the .htaccess file, i think.

using google I would say you'd want something like this. just for reference i altered the following example (http://muffinresearch.co.uk/archives/2006/08/20/redirecting-subdomains-to-directories-in-apache/) which seemed to be close enough to be workable

Using nginx

Ahh, sorry, well it doesn't seem to change much. If anything it looks a bit easier. There is a http rewrite module (http://wiki.nginx.org/HttpRewriteModule) for nginx

The most robust rule that applies is probably something like this

The wiki says using try files are a good idea, so you might need to look into that if you want better scalability. HTH. Hopefully I didn't miss any other obvious information you've already stated.