Closed wkoszek closed 7 years ago
@wkoszek Sure.
I'm not really sure why it does not handle self signed cert. Is that by design or just a flaw on its implementation? I would like to know a maintainer's opinion about this before we dive into the changes.
@plribeiro3000 We need to add a code to do @http.verify_mode = ...
for us. It should be somewhere here:
https://github.com/ruby/xmlrpc/blob/master/lib/xmlrpc/client.rb#L115
When you create a HTTPS connection, you must use 2 things: Net::HTTP module to provide you HTTP functionality and OpenSSL module for SSL functionality. There more modes of verification in SSL:
This is what verify_mode
does.
Example: https://github.com/augustl/net-http-cheat-sheet/blob/master/ssl_and_https.rb
We miss this piece.
Got it. Your proposal make sense to me. What is not clear to me is how other people use xmlrpc
if it does not support custom signed certificates?
Did anyone have this problem before?
@plribeiro3000 People had this problem before, and they hack around, instead of fixing it properly. Essentially what I did locally, and what @NeilHanlon mentioned they do too. You just monkey-patch.
Links
https://stelfox.net/blog/2012/02/rubys-xmlrpc-client-and-ssl/ http://stackoverflow.com/questions/4748633/how-can-i-make-rubys-xmlrpc-client-ignore-ssl-certificate-errors
Well, Its about time to fix it then. =)
RIght now we have no way to letting XMLRPC know that the cert would be self-signed.
This is not completely true. The bugreport at https://bugs.ruby-lang.org/issues/8461 has provided a solution:
c = XMLRPC::Client.new(....)
c.http.verify_mode = OpenSSL::SSL::VERIFY_NONE
While I agree this solution is far from optimal (did anyone say Demeter?), it's not exactly "no way"
Awesome @herwinw . Thats the exact kind of feedback i was trying to get. I just could not believe no one did stumble upon this before. =)
@wkoszek This does solve your issue with xmlrpc
right?
@plribeiro3000 The fix is merged in 2013, the linked blog post is from 2012, the stackoverflow article from 2011 (but has a more recent comment with the same suggestion). And since not many people use the xmlrpc lib (which I think is good thing, the protocol is pretty terrible), the fixes are not something that many people will blog about, making it harder to find the solutions.
@herwinw Thank you for the explanation. =)
At least now we have github issues to make questions asynchronously and leave the answers so other people can find it easier.
Thanks you again!
@herwinw You're right, I'm wrong.
I got confused, since I didn't notice on time that attr_reader
it's defined after it's used. I got used to seeing it right after function is defined.
@wkoszek Do you think we can now solve your problem on fog-xml
?
Bring issue is tied to https://github.com/fog/fog-xenserver/pull/68
fog
is the Ruby library for starting/stopping/and controlling VMs. XenServer, the Citrix product, has a plugin calledfog-xenserver
. It usesruby/xmlrpc
. It fails to connect to the new instance of XenServer, because its certificate is self-signed.RIght now we have no way to letting XMLRPC know that the cert would be self-signed. My suggestion is to use following logic, which will change
ruby/xmlrpc
minimally:use_ssl
==true
: enable SSL, normal SSL certificate validationuse_ssl
==false
: no SSLuse_ssl
== -1: enable SSL, patched workaround for ignoring exception for self-signed cert.More elegant way would be to just add
verify_mode
and for each VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE, VERIFY_FAIL_IF_NO_PEER_CERT have "none", "peer", "client_once", "fail_if_no_peer_cert".@plribeiro3000 Let's discuss changes here, so that we can decide what's the best way to enable self-signed certs.