search

iron-io / issues

For Iron.io services issue tracking. Public facing issue tracking for behind the scenes issues.
5 stars 0 forks source link

Mono Environment Requires mozroots #77

Open philipri opened 11 years ago

philipri commented 11 years ago

Currently the Iron Worker mono environment does not have mozroots configured.

See: http://www.mono-project.com/FAQ:_Security

Repro:

  1. Build an Iron Worker which executes: using(WebClient client = new WebClient()) { string result = client.DownloadString("https://www.google.com"); Console.WriteLine(result); }
  2. See the TLS error which results.
  3. Repro this with http://www.google.com as the URL and it pass.

Suggested Fix: Ensure all worker environments has mozroots configured on them (and updated on a regular basis).

Code Workaround: This workaround adds 0 seconds to processing time. But it is NOT secure. Add this code in your app startup (i.e. before you make web requests): ServicePointManager.ServerCertificateValidationCallback = delegate { return true; }; This will force mono to always validate Certificates as being OK. Not great for production but passable for dev environments.

Environment Workaround: This workaround adds approximately 3 seconds to processing time. But it is secure. Switch to a binary runtime in your .worker file Have your .worker file execute a shell Your shell should run mozroots and then execute your mono exe Example:

!/bin/sh

mozroots --import --ask-remove mono your_worker_app.exe "$@"

carimura commented 11 years ago

Thanks for this ticket @philipri .. cc @iced @treeder @rkononov