I am writing a soap request over SSL using Savon and HTTPi, a Ruby soap client and an interface for Ruby HTTP clients, respectively. Here's the code:
client = Savon::Client.new(original_class.constantize.wsdl_url)
client.http.auth.ssl.cert_key_file = "path_to_the_key"
client.http.auth.ssl.cert_key_password = 'secret'
client.http.auth.ssl.cert_file = "path_to_the_certification"
client.http.auth.ssl.verify_mode = :none
@response = client.request :ins0, action do
soap.body = encoded_body
end
That's the only way I get this to work. But, I know that there is three others verify modes, which are:
If I change the verify mode to any other of the above, I get this error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Then comes my questions (among others I have):
I read the OpenSSL documentation about verify modes:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
About SSL_VERIFY_NONE, on Client Mode, says:
The result of the certificate verification process can be checked after the TLS/SSL handshake using the SSL_get_verify_result(3) function. The handshake will be continued regardless of the verification result.
Should I be worried about it? Should I see verify mode :none as a dangerous thing?
I am asking that because since I can't make it work with the others verify modes, I would like to release the soap request over SSL feature the way it is working now. But I surely wouldn't do it if that could be dangerous.
SSL helps prevent a website from leaking sensitive personal or business data, such as a social security number or bank account information, to unapproved third parties. Firefox recommends that you do not turn off SSL certificates, but you may need to disable them temporarily to troubleshoot problems with the browser.
Description. ssl-verify-peer-mode specifies whether the server requires clients to present a valid certificate to connect to it. Server instances allow clients to connect to it with or without providing a valid certificate. All requests will still require authorization.
To check an SSL certificate on any website, all you need to do is follow two simple steps. First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.
After a while, I joined the OpenSSL User Support Mailing List and finally got helped.
In short:
The mode flags :fail_if_not_peer_cert and :client_once are for server only, meaning nothing to the client, so they are ignored on client.
For client purpose, :peer (SSL_VERIFY_PEER) is the only one the matters.
And is not safe to set verify mode to :none (SSL_VERIFY_NONE). That way, there will be not server authentication. If someone intercept the connection from my client, my client will not detect the difference and will give sensitive data to the attacker.
In order to use :peer, I need to have the certificate in the client trustedstore.
A big thanks to Dave Thompson from OpenSSL mailing list.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With