Ability to modify SSL options
rslifka opened this issue · comments
Hi there,
In upgrading to Savon 1.0, we can no longer attach to HTTPS endpoints as it appears certification verification is now required. We would like to disable verification via something akin to:
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
However, there is no way to communicate from Savon > HTTPI > Net::HTTP as the only form of communication appears to be string based (i.e. the 'request' variable is all thats passed from Savon::Client.new all the way down to Net::HTTP).
Thanks!
Rob
Could you please show how you are initializing your Savon client? Thanks.
@client = Savon::Client.new('https://pantherportal.cdnetworks.com/wsdl/flush.wsdl')
The HTTP version of that endpoint redirects to that endpoint. Unfortunately no choice there.
shouldn't this be possible?
client.http.ssl.verify_mode = :none
do you have configuraton like this?
Thanks for following up! We'll take another crack at updating the gem and report back. Sorry, not sure where my GitHub notifications are going.
client.http.auth.ssl.verify_mode = :none
this works
We are facing a weird problem we are trying to hit a https end point and when we use client.http.auth.ssl.verify_mode = :none savon makes a call to the http end point. Is there a way of hitting the https end point and ignoring the certificate error
@vaibhavbansal please open a new issue and post a spec and/or an example and the wsdl somewhere for me to debug.
Hi Daniel,
Apologies I've been swamped and haven't verified this. Making any call to the endpoint (even retrieving the list of services I imagine) would verify that it worked. I'll have a look, might be a few days though.
Even with client.http.auth.ssl.verify_mode = :none
I get error
SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert unexpected message
me too!
unfortunately "me too" doesn't help. i need a way to reproduce the problem.
i'd appreciate any support.
SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert unexpected message
The problem is that you have to explicit set the ssl version to use. The error above is generated when version 3 (SSLv3) is used.
I've found a fork of httpi by @nicdal (http://github.com/nicdal/httpi.git) that allowed me to set the ssl version together with Savon (1.2.0)
@client = Savon::Client.new do
wsdl.document = WSDL_URL
http.auth.ssl.verify_mode = :none
http.auth.ssl.ssl_version = :SSLv3
end
This solved my error without any other code modifications.
[support for specifying the soap version]((savonrb/httpi@b32fd49) was added in httpi v2.0.0.rc1.
not sure when savon will support this version yet.
In new version v2.0.0, how can I disable ssl verification ( http.auth.ssl.verify_mode = :none ) ??
@carlos-logicalbricks just realized that this was missing. it added an option for this on master.
please give it a try. i'll release this soon.
Thanks a lot!!
thanks for spotting this. i updated the documentation for more information about this.
Hi - we have a situation with a test SOAP service where we need to use SSL cert and private key to present via client auth from server, however the actual HTTPS hosted cert the domain has is self signed or not valid, host verification wise. So we want to not verify them, host domain wise, but still present our cert and private key for client auth.....Does Savon support this?
We are having issues when we set ssl_verify_mode: :none
we'll get this error...
HTTPI GET request to wir.dhswir.org (net_http)
HTTPI::SSLError: SSL_read: ssl handshake failure
from /Users/Ben/.rvm/gems/ruby-2.1.5@caredox/gems/httpi-2.0.2/lib/httpi/adapter/net_http.rb:36:in `rescue in request'
if we remove ssl_verify_mode: :none,, then it works...here is the rest of the client initialization. To test after that we do client.operations
client = Savon.client(log_level: :debug,
log: true,
filters: [:password],
ssl_cert_file: (Rails.root + 'signed.cer').to_s,
ssl_cert_key_file: ('private.key').to_s,
env_namespace: :soap,
namespace_identifier: :urn,
namespace: 'urn:cdc:iisb:2011',
soap_version: 2,
wsdl: "https://example.com/Service?wsdl",
endpoint: "https://example.com/Service",
open_timeout: 30,
read_timeout: 30)
Also note bc/ of this reported issue in 2.3.0 savon we are using 2.2.0
ANy ideas?
+1 I'm having this error as well. Trying to connect to a WSDL service using Savon on Ruby 2.1.4 and Savon 2.10.0 and I'm getting this error. Have tried setting ssl_verify_mode to no avail.
I can connect using the Net::HTTP library adding a custom certificate like this:
http = Net::HTTP.new(host, port)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
raw = File.read('cert_path')
certificate = OpenSSL::X509::Certificate.new raw
http.cert_store.add_cert certificate
This connection succeeds. Is there anyway to set the cert_store on the excon or the http connection savon is gonna make?
Annoyingly it's not in the documentation, but Savon supports ssl_cert
and ssl_cert_key
as options, so you don't have to use a ssl_cert_file
/ ssl_cert_key_file
like the docs suggest.
This will work:
Savon.client(
# . . .
ssl_cert: OpenSSL::X509::Certificate.new( ENV["SSL_CERT"] ),
ssl_cert_key: OpenSSL::PKey::RSA.new( ENV["SSL_CERT_KEY"] )
)
and if your ssl_cert_key
is locked with a password, unlock it with your ENV variables like this:
ssl_cert_key: OpenSSL::PKey::RSA.new( ENV["SSL_CERT_KEY"], ENV["SSL_CERT_KEY_PASSWORD"])
It would be great if the Savon docs were updated to include these two options for SSL.