Ability to modify SSL options

[rslifka]

Hi there,

In upgrading to Savon 1.0, we can no longer attach to HTTPS endpoints as it appears certification verification is now required. We would like to disable verification via something akin to:

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

However, there is no way to communicate from Savon > HTTPI > Net::HTTP as the only form of communication appears to be string based (i.e. the 'request' variable is all thats passed from Savon::Client.new all the way down to Net::HTTP).

Thanks!

Rob

[hoverlover]

Could you please show how you are initializing your Savon client? Thanks.

[rslifka]

@client = Savon::Client.new('https://pantherportal.cdnetworks.com/wsdl/flush.wsdl')

The HTTP version of that endpoint redirects to that endpoint. Unfortunately no choice there.

[rubiii]

shouldn't this be possible?

client.http.ssl.verify_mode = :none

do you have configuraton like this?

[rubiii]

@rslifka should we follow up on this?

[rslifka]

Thanks for following up! We'll take another crack at updating the gem and report back. Sorry, not sure where my GitHub notifications are going.

[kashivreddy]

client.http.auth.ssl.verify_mode = :none
this works

[rubiii]

@rslifka can you confirm?

[vaibhavbansal]

We are facing a weird problem we are trying to hit a https end point and when we use client.http.auth.ssl.verify_mode = :none savon makes a call to the http end point. Is there a way of hitting the https end point and ignoring the certificate error

[rubiii]

@vaibhavbansal please open a new issue and post a spec and/or an example and the wsdl somewhere for me to debug.

[rslifka]

Hi Daniel,

Apologies I've been swamped and haven't verified this. Making any call to the endpoint (even retrieving the list of services I imagine) would verify that it worked. I'll have a look, might be a few days though.

[maqen]

Even with client.http.auth.ssl.verify_mode = :none I get error

SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert unexpected message

[kazmin]

me too!

[rubiii]

unfortunately "me too" doesn't help. i need a way to reproduce the problem.
i'd appreciate any support.

[maqen]

SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: sslv3 alert unexpected message

The problem is that you have to explicit set the ssl version to use. The error above is generated when version 3 (SSLv3) is used.

I've found a fork of httpi by @nicdal (http://github.com/nicdal/httpi.git) that allowed me to set the ssl version together with Savon (1.2.0)

@client = Savon::Client.new do
    wsdl.document = WSDL_URL
    http.auth.ssl.verify_mode = :none
    http.auth.ssl.ssl_version = :SSLv3
end

This solved my error without any other code modifications.

[rubiii]

thank you very much @maqen. i'll have a look into it.

[rubiii]

[support for specifying the soap version]((savonrb/httpi@b32fd49) was added in httpi v2.0.0.rc1.
not sure when savon will support this version yet.

[garcialopezco]

In new version v2.0.0, how can I disable ssl verification ( http.auth.ssl.verify_mode = :none ) ??

[rubiii]

@carlos-logicalbricks just realized that this was missing. it added an option for this on master.
please give it a try. i'll release this soon.

[garcialopezco]

Thanks a lot!!

[rubiii]

thanks for spotting this. i updated the documentation for more information about this.

[bjm88]

Hi - we have a situation with a test SOAP service where we need to use SSL cert and private key to present via client auth from server, however the actual HTTPS hosted cert the domain has is self signed or not valid, host verification wise. So we want to not verify them, host domain wise, but still present our cert and private key for client auth.....Does Savon support this?

We are having issues when we set ssl_verify_mode: :none
we'll get this error...
HTTPI GET request to wir.dhswir.org (net_http)
HTTPI::SSLError: SSL_read: ssl handshake failure
from /Users/Ben/.rvm/gems/ruby-2.1.5@caredox/gems/httpi-2.0.2/lib/httpi/adapter/net_http.rb:36:in `rescue in request'

if we remove ssl_verify_mode: :none,, then it works...here is the rest of the client initialization. To test after that we do client.operations

client = Savon.client(log_level: :debug,
log: true,
filters: [:password],
ssl_cert_file: (Rails.root + 'signed.cer').to_s,
ssl_cert_key_file: ('private.key').to_s,
env_namespace: :soap,
namespace_identifier: :urn,
namespace: 'urn:cdc:iisb:2011',
soap_version: 2,
wsdl: "https://example.com/Service?wsdl",
endpoint: "https://example.com/Service",
open_timeout: 30,
read_timeout: 30)

Also note bc/ of this reported issue in 2.3.0 savon we are using 2.2.0

#491

ANy ideas?

[noahmatisoff]

+1 I'm having this error as well. Trying to connect to a WSDL service using Savon on Ruby 2.1.4 and Savon 2.10.0 and I'm getting this error. Have tried setting ssl_verify_mode to no avail.

[aledustet]

I can connect using the Net::HTTP library adding a custom certificate like this:

http = Net::HTTP.new(host, port)
http.use_ssl = true
http.cert_store = OpenSSL::X509::Store.new
http.cert_store.set_default_paths
raw = File.read('cert_path')
certificate = OpenSSL::X509::Certificate.new raw
http.cert_store.add_cert certificate

This connection succeeds. Is there anyway to set the cert_store on the excon or the http connection savon is gonna make?

[KelseyDH]

Annoyingly it's not in the documentation, but Savon supports ssl_cert and ssl_cert_key as options, so you don't have to use a ssl_cert_file / ssl_cert_key_file like the docs suggest.

This will work:

      Savon.client(
        # . . .
        ssl_cert: OpenSSL::X509::Certificate.new( ENV["SSL_CERT"] ),
        ssl_cert_key: OpenSSL::PKey::RSA.new( ENV["SSL_CERT_KEY"] )
      )

and if your ssl_cert_key is locked with a password, unlock it with your ENV variables like this:

ssl_cert_key: OpenSSL::PKey::RSA.new( ENV["SSL_CERT_KEY"], ENV["SSL_CERT_KEY_PASSWORD"])

It would be great if the Savon docs were updated to include these two options for SSL.