Closed wkoszek closed 7 years ago
plribeiro3000
commented
7 years ago @wkoszek Sure.
I'm not really sure why it does not handle self signed cert. Is that by design or just a flaw on its implementation? I would like to know a maintainer's opinion about this before we dive into the changes.
wkoszek
commented
7 years ago @plribeiro3000 We need to add a code to do @http.verify_mode = ... for us. It should be somewhere here:
https://github.com/ruby/xmlrpc/blob/master/lib/xmlrpc/client.rb#L115
When you create a HTTPS connection, you must use 2 things: Net::HTTP module to provide you HTTP functionality and OpenSSL module for SSL functionality. There more modes of verification in SSL:
This is what verify_mode does.
Example: https://github.com/augustl/net-http-cheat-sheet/blob/master/ssl_and_https.rb
We miss this piece.
plribeiro3000
commented
7 years ago Got it. Your proposal make sense to me. What is not clear to me is how other people use xmlrpc if it does not support custom signed certificates?
Did anyone have this problem before?
wkoszek
commented
7 years ago @plribeiro3000 People had this problem before, and they hack around, instead of fixing it properly. Essentially what I did locally, and what @NeilHanlon mentioned they do too. You just monkey-patch.
Links
https://stelfox.net/blog/2012/02/rubys-xmlrpc-client-and-ssl/ http://stackoverflow.com/questions/4748633/how-can-i-make-rubys-xmlrpc-client-ignore-ssl-certificate-errors
plribeiro3000
commented
7 years ago Well, Its about time to fix it then. =)
herwinw
commented
7 years ago RIght now we have no way to letting XMLRPC know that the cert would be self-signed.
This is not completely true. The bugreport at https://bugs.ruby-lang.org/issues/8461 has provided a solution:
c = XMLRPC::Client.new(....)
c.http.verify_mode = OpenSSL::SSL::VERIFY_NONEWhile I agree this solution is far from optimal (did anyone say Demeter?), it's not exactly "no way"
plribeiro3000
commented
7 years ago Awesome @herwinw . Thats the exact kind of feedback i was trying to get. I just could not believe no one did stumble upon this before. =)
@wkoszek This does solve your issue with xmlrpc right?
herwinw
commented
7 years ago @plribeiro3000 The fix is merged in 2013, the linked blog post is from 2012, the stackoverflow article from 2011 (but has a more recent comment with the same suggestion). And since not many people use the xmlrpc lib (which I think is good thing, the protocol is pretty terrible), the fixes are not something that many people will blog about, making it harder to find the solutions.
plribeiro3000
commented
7 years ago @herwinw Thank you for the explanation. =)
At least now we have github issues to make questions asynchronously and leave the answers so other people can find it easier.
Thanks you again!
wkoszek
commented
7 years ago @herwinw You're right, I'm wrong.
I got confused, since I didn't notice on time that attr_reader it's defined after it's used. I got used to seeing it right after function is defined.
plribeiro3000
commented
7 years ago @wkoszek Do you think we can now solve your problem on fog-xml?
Bring issue is tied to https://github.com/fog/fog-xenserver/pull/68
fogis the Ruby library for starting/stopping/and controlling VMs. XenServer, the Citrix product, has a plugin calledfog-xenserver. It usesruby/xmlrpc. It fails to connect to the new instance of XenServer, because its certificate is self-signed.RIght now we have no way to letting XMLRPC know that the cert would be self-signed. My suggestion is to use following logic, which will change
ruby/xmlrpcminimally:use_ssl==true: enable SSL, normal SSL certificate validationuse_ssl==false: no SSLuse_ssl== -1: enable SSL, patched workaround for ignoring exception for self-signed cert.More elegant way would be to just add
verify_modeand for each VERIFY_NONE, VERIFY_PEER, VERIFY_CLIENT_ONCE, VERIFY_FAIL_IF_NO_PEER_CERT have "none", "peer", "client_once", "fail_if_no_peer_cert".@plribeiro3000 Let's discuss changes here, so that we can decide what's the best way to enable self-signed certs.