OFX Support

Linas Vepstas linas@linas.org
Wed, 11 Dec 2002 10:45:47 -0600


On Tue, Dec 10, 2002 at 11:57:49PM -0500, bock@step.polymtl.ca was heard to remark:
> But I think now I approached this backwards.  Once we get two-way communication
> working with a few banks (no reason to think we would fail, much of the hard
> part is done), we should build our own list of hostnames/port numbers and
> distribute it in the source.  

Yes; I suppose in some file that the user could edit to add new
associations.

> It should be relatively easy to do since ofx
> travels over http, and would go something like this:
> 
> -Fire up sniffer or connection monitor
> -Fire up Quicken, use direct connect with the bank we need the info for.
> -Note the hostname and portname of the connection that was generated
> -Send this info, along with bank's name and perhaps what was used as the
> username back to the LibOFX project.

I see several problems: the ofx servers are urls, and not
hostname/ports.  Thus you need to have 

https://ofx.server.com:443/cgi-bin/ofx-servlet/

and not just the knowledge that its ofx.server.comn port 443

Since the SSL connnection to ofx.server.com is opened before the 
POST /cgi-bin/ofx-servlet/ HTTP/1.1  
is sent, you don't have a way of sniffing out the whole URL.

Note also that some (most?) banks will use a redirect.  This is not
a problem, but something you would have to deal with:  e.g.

open SSL connection to www.mybank.com
GET /path/to/fake/ofx-server HTTP/1.1

which replies:
403 ReDirect https://ofx.mybank-carzy-domain.com/true-ofx-server/

so you close above, and open an SSL connection to 
ofx.mybank-carzy-domain.com
and POST /true-ofx-server/


Note that in this case, the URL that GnuCash should remember is
https://www.mybank.com/path/to/fake/ofx-server
and *not* the real one-- that's because the real one might change,
but the 'fake' one will probably stay the same  (??).

--------
The other potential problem is that some banks may be using a
'client certificate', and if so, this would be a pain; but I don't
think that this is done anywhere.




-- 
pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas@linas.org>
PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933