actionscript3 tls socket and flash policy files : request for resource at tlssocket denied

Question

Here is the gist of what baffles me:

• I'm trying to establish a TLS socket on port 443 to our backend using AS3's SecureSocket class.
• The backend has a service running listening on port 843 to policy file requests. (If you're familiar with node, this is the server serving the policy file https://github.com/3rd-Eden/FlashPolicyFileServer)

• The policy file served is
  <?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy><allow-access-from domain="*" to-ports="*"/></cross-domain-policy>

• I wrote a little test Flash snippet (Test.swf) that tries to establish said TLS socket (on port 443) .

• Logging is enabled and done via Vizzy Flash Tracer (on Mac)
• Vizzy traces both inline traces and flash policy related messages.

Results

RUN 1

this run only has flash ask for the policy file via it's built in policy file request port 843. the following is a trace of a Test.swf run:

FLASH LOG:

* Security Sandbox Violation *
Connection to mic.test.com:443 halted - not permitted from http://localhost/~mic/flash/Test.swf
Error: Request for resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf is denied due to lack of policy file permissions.

POLICY LOG:

OK: Root-level SWF loaded: http://localhost/~mic/flash/Test.swf
OK: Searching for in policy files to authorize data loading from resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf
Error: Request for resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf is denied due to lack of policy file permissions.

RUN 2

For this run in addition to serving the file as above the policy file server has been modified for another iteration to add the following xml node to the response: (as per adobe docs)
this run has flash ask for the master policy file via it's built in policy file request port 843 AND then load a crossdomain.xml policy file on a different port (from the webserver to be exact)
The crossdomain.xml file looks as follows:

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for xmlsocket://socks.example.com -->
<cross-domain-policy>
   <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

the following is a trace of a Test.swf run:

FLASH LOG:

* Security Sandbox Violation *
Connection to mic.test.com:443 halted - not permitted from http://localhost/~mic/flash/Test.swf
Error: Request for resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf is denied due to lack of policy file permissions.

POLICY LOG:

OK: Root-level SWF loaded: http://localhost/~mic/flash/Test.swf
OK: Searching for in policy files to authorize data loading from resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf OK: Policy file accepted: https://mic.test.com:10443/crossdomain.xml
Error: Request for resource at tlssocket://mic.test.com:443 by requestor from http://localhost/~mic/flash/Test.swf is denied due to lack of policy file permissions.

The only difference is that flash claims to accept the policy file, yet still refuses to play.

Would you have any pointers as to where my thinking is wrong?

Answer 1

as recommended by @wvxvw the answer turned out to be that the policy file server needs to be able to answer the request via a TLS connection.