On Samstag, 30. Januar 2021 05:11:44 CET John Ralls wrote: > > On Jan 29, 2021, at 4:11 PM, Bob White <whit...@me.com> wrote: > > > > Thanks, John, > > > >> > >> Not mentioned in your emails is the response from USAA: A webpage > >> reporting a server error instead of the usual 50x HTTP response code. > > > > I do see a 400 in the Online Banking Transaction Window when attempting to > > download transactions in GNC: > > > > AqBanking v6.2.5.0stable > > Sending jobs to the bank(s) > > Sorting commands by account > > Sorting commands by account > > Sorting commands by provider > > Send commands to providers > > Send commands to provider "aqofxconnect" > > Locking customer "4563" > > Sending request... > > Connecting to server... > > Resolving hostname "df3cx-services.1fsapi.com" ... > > IP address is "45.60.151.211" > > Connecting to "df3cx-services.1fsapi.com" > > Connected to "df3cx-services.1fsapi.com" > > Using GnuTLS default ciphers. > > TLS: SSL-Ciphers negotiated: TLS1.3:ECDHE-RSA-AES-128-GCM:AEAD > > Connected. > > Sending message... > > Message sent. > > Waiting for response... > > Receiving response... > > HTTP-Status: 400 (Bad Request) > > Unlocking customer "4563" > > > >> > >> Also not mentioned in your emails: I suppose that you were able to > >> download your transactions successfully with Quicken. Do you think you > >> could install Wireshark (https://www.wireshark.org/#download) and collect > >> what Quicken is sending? > > > > It's been a while since I used Wireshark, but I did install install it. > > Everything captured is encrypted. I've never decrypted TLS in Wireshark > > before. Is there a tutorial available that doesn't require the use of > > Chrome or Netscape so I can capture while using the Quicken app? > > > > If not, I guess I could try the Quicken Web interface via Chrome or > > Netscape and capture things that way. > > Dang, I didn't think of encryption. I don't know how to do that, and since > Quicken > > The Quicken web interface is I think different from OFX Direct Connect. If > it's OFX Web Connect then it handles authentication differently and that's > probably at least part of the problem. > > I found a quicken community discussion that suggests that Quicken for Windows > used IE to connect, so I'd imagine that Quicken for Mac would use WebKit. I > don't know if Apple's installed WebKit uses openssl, but it might, in which > case it might be possible to get a key log for the Quicken session. Total > speculation, I've never done anything remotely like this.
You cannot do that without breaking the security. Wireshark can decrypt the traffic, but you need the private key of the server certificate (and I doubt that you will be able to get a hold of it). The other method is to use a proxy that intercepts the traffic (mitm). Tools like ZAP (https://owasp.org/www-project-zap/) or the Burp Suite (https://portswigger.net/burp) would be something to look into. Be warned: if you don't clean up after you're done, using these methods may leave a security hole on your system! Other than that, I am also interested in your findings as this problem also applies to other applications using AqBanking/LibOFX. -- Regards Thomas Baumgart https://www.signal.org/ Signal, the better WhatsApp ------------------------------------------------------------- morphir: so much confusion :S kmake, kdemake, qmake make cmake etc. logixoul: you forgot cmakekde :) morphir: and bakemeacake -------------------------------------------------------------
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ gnucash-devel mailing list gnucash-devel@gnucash.org https://lists.gnucash.org/mailman/listinfo/gnucash-devel
