I am writing a soap request over SSL using Savon and HTTPi, the Ruby client soap and interface for Ruby HTTP clients, respectively. Here is the code:
client = Savon::Client.new(original_class.constantize.wsdl_url) client.http.auth.ssl.cert_key_file = "path_to_the_key" client.http.auth.ssl.cert_key_password = 'secret' client.http.auth.ssl.cert_file = "path_to_the_certification" client.http.auth.ssl.verify_mode = :none @response = client.request :ins0, action do soap.body = encoded_body end
This is the only way to make me work. But I know that there are three other verification modes:
- : peer (SSL_VERIFY_PEER)
- : fail_if_no_peer_cert (SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- : client_once (SSL_VERIFY_CLIENT_ONCE)
If I change the verification mode to any of the above, I get this error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Then my questions arise (among other things, I have):
- Am I really mistaken if I keep checking mode: none? Is there a security flaw?
- What does the error mean? Is my code incorrect or that my certificate (which is self-configuring --- I'm in the development environment) is not good?
I read the OpenSSL documentation about validation modes:
http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
About SSL_VERIFY_NONE, in client mode, it says:
You can verify the result of certificate verification after establishing TLS / SSL communication using the SSL_get_verify_result (3) function. The handshake will continue regardless of the result of the check .
Should I worry about this? Should I see the verification mode: no as a dangerous thing?
I ask about this because, because I cannot get it to work with other verification modes, I would like to issue a soap request using the SSL function as it works now. But of course, I would not have done this if it had been dangerous.