choose SSL version for Savon

[evantahler]

Recently (Today?) Responsys disabled SSLv3 as an HTTPS type they supported on their servers. However, their servers still respond with SSLv3 as a valid options. Savon will not retry the HTTPS handshake, so we need to tell it another protocol to use explicitly.

This probably has to do with the new POODLE bug.

[evantahler]

Oh, the error you will see to indicate this:

HTTPI::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: wrong version number
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/httpi-2.2.7/lib/httpi/adapter/httpclient.rb:28:in `rescue in request'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/httpi-2.2.7/lib/httpi/adapter/httpclient.rb:25:in `request'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/httpi-2.2.7/lib/httpi.rb:159:in `request'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/httpi-2.2.7/lib/httpi.rb:125:in `get'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/resolver.rb:43:in `load_from_remote'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/resolver.rb:33:in `resolve'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/document.rb:142:in `xml'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/document.rb:160:in `parse'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/document.rb:147:in `parser'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/wasabi-3.3.0/lib/wasabi/document.rb:64:in `soap_actions'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/savon-2.7.2/lib/savon/operation.rb:21:in `ensure_exists!'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/savon-2.7.2/lib/savon/operation.rb:14:in `create'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/savon-2.7.2/lib/savon/client.rb:32:in `operation'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/savon-2.7.2/lib/savon/client.rb:36:in `call'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/responsys-api-0.0.5/lib/responsys/api/client.rb:62:in `run'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/responsys-api-0.0.5/lib/responsys/api/session.rb:5:in `login'
    from /Users/evantahler/.rbenv/versions/2.0.0-p247/lib/ruby/gems/2.0.0/gems/responsys-api-0.0.5/lib/responsys/api/client.rb:29:in `initialize'
...

[florrain]

Hey Evan,

I thought SSLv3 was activated by default but apparently not, if I set it and call Responsys, I have the same error. However if the ssl_version is not set it works fine. Same with the option set to TLSv1 it works. Same for you ?

I have two comments :

• I'd rather set the property only if the user passes the :ssl_version parameter to the gem, does it work for you ?
• Could you fix the tests (client_spec) and update the readme with the new (optional) parameter ?

Thanks again.

[evantahler]

Interesting! We are getting those errors without that parameter supplied at all. Would you mind sharing which endpoint you have? We are on ws5.responsys.net.

To us, setting : ssl_version is a requirement. That's why I thought it might be best to make this a 'secret' option.

I'll update the spec and readme in the meantime

[evantahler]

tests + readme updated.

[dandemeyere]

Thanks for helping us out with this Evan. We've reached out to our Responsys technical rep with a couple of questions pertaining to this (and other API issues we've experienced) that we'd like clarity on and then we'll get to work on testing this and merging it in.

[evantahler]

FYI, this change along with https://github.com/dandemeyere/responsys-api/issues/10 have us up and working successfully in production.

[florrain]

Okay moving on. TLS is better security these days than SSL.

Thanks for your implication and the changes @evantahler !

I'll :sheep: it and bump the version in the next minutes.