Menu
I'm evaluating savon for consuming webservices... but I dont find any information if I can use a SSL client side certificate to authenticate against the server that provides the SOAP webservices. I read the documentation but didn't find anything about it.
Does anyone know if SAVON supports client side certificate authentication?
Regards Fak
550
Traditionally, when the client arrives and the server presents its certificate, the client is the one handling authentication functions. This is done with a series of checks to verify that the certificate is:
Upon receiving the CLIENT HELLO, if the server is configured for Client Certificate Authentication, it will send a list of Distinguished CA names & Client Certificate Request to the client as a part of the SERVER HELLO apart from other details depicted above.
Properly logged (CT logs). When a client SSL certificate is present, though, both sides perform the authentication steps. When the server presents its certificate, the client responds with its own. Then, both the client and server authenticate the certificate before the handshake can conclude.
One example I have personally encountered is Apple‘s Safari browser communicating to a site hosted on IIS 7 or higher which requires Client Certificate for authentication. Safari expects a list of Intermediate CA‘s in the SERVER HELLO.
the latest stable version of Savon (2.2.0 at this moment) supports SSL client certificates via global options. Please refer to the SSL section in the documentation.
Here is some example code, assuming httpclient is used with httpi:
savonConfig = {
:namespace => "http://...com",
:endpoint => 'https://...:557/x/b/c',
#:wsdl => 'https://...:557/x/b/c?wsdl',
:log_level => :debug,
:log => true,
:ssl_verify_mode => :none,
:ssl_cert_file => 'publicCert.pem',
:ssl_cert_key_file => 'privateKey.pem',
:ssl_cert_key_password => '1234',
:open_timeout => 600,
:read_timeout => 600
}
client = Savon.client savonConfig
soapBody = {
...
}
calcResponse = client.call(:charge, :message => soapBody)
If you have a pfx certificate/key file, you may have problems using it directly - so you might want to split them out into separate files - see this page for info: Extract public/private key from PKCS12 file for later use in SSH-PK-Authentification
Hope that helps!
Daniel
95
We are having issues trying to get savon client to work with ssl client auth but at same time bypass host verification....
https://github.com/savonrb/savon/issues/679
client = Savon.client(log_level: :debug,
log: true,
ssl_verify_mode: :none,
ssl_cert_file: (Rails.root + 'signed.cer').to_s,
ssl_cert_key_file: ('private.key').to_s,
wsdl: "https://example.com/Service?wsdl",
endpoint: "https://example.com/Service")
fails with Like HTTPI GET request to wir.dhswir.org (net_http) HTTPI::SSLError: SSL_read: ssl handshake failure
no moe info..
We have tried savon 2.2.0, 2.3.0, and 2.11.0. with slightly varying error messages.
We are using same PEM formatted key and cert to savon and using unix WGET to compare. WGET will fail if we dont pass --no-check-certificate, however if we add that it passes and can do ssl client auth and get access
wget 'https://example.com/CDC/VaccinationService?wsdl' --certificate=example-int-wi-signed.cer --private-key=private.key -O- --no-check-certificate
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
