Handling SSL certificates during SOAP4R calls

February 2nd, 2010

I ran into a problem recently with a SOAP call that was being made from one of our Ruby applications.  Apparently, something had changed with the SSL certificate at the service endpoint, as we were receiving the following error:

at depth 0 – 20: unable to get local issuer certificate

OpenSSL::SSL::SSLError: certificate verify failed

Now, nothing had changed in our code, which was very simple — all of the details about service location and methods available are in the service’s WSDL file.  The method that was blowing up simply created the connection to an HTTPS SOAP service and then called a method on the endpoint, like so:

def status
 # Read WSDL and create driver
 driver = SOAP::WSDLDriverFactory.new(WSDL_URI).create_rpc_driver

 # SOAP headers, basic auth credentials, etc.
 driver.headerhandler << HeaderHelper.new

 # Make SOAP call
 driver.GetStatus
end

After doing some research, it was pretty clear that we were getting the error because the certificate being presented by the server was issued by someone that wasn’t in our trusted store.  More specifically, it was signed using an intermediate certificate (or “chained” certificate) that was then linked to a trusted certificate.

There are two ways to fix this problem.  The first way is the fastest, which is a plus if you need to get this issue solved immediately, or you’re only writing a test wrapper anyway.  Add the following line:

def status
 # Read WSDL and create driver
 driver = SOAP::WSDLDriverFactory.new(WSDL_URI).create_rpc_driver

 driver.options['protocol.http.ssl_config.verify_mode'] = OpenSSL::SSL::VERIFY_NONE

 # SOAP headers, basic auth credentials, etc.
 driver.headerhandler << HeaderHelper.new

 # Make SOAP call
 driver.GetStatus
end

By setting VERIFY_NONE, you’re telling the SSL client to ignore the certificate sent by server.  The issue here is that, well, you’re ignoring the certificate sent by the server.  As any security advocate will tell you, encryption without authentication is no security at all.

The longer, but correct, way to fix this issue is to figure out what intermediate certificates you are missing and then include them in your web application.  This is often as simple as visiting the issuer’s HTTPS website and examining the certificate chain.  (In Firefox: double-click the lock icon, click View Certificate and then select the Details tab.)

In our case, I was able to do exactly that.  I exported all the certificates below the root cert into the lib folder and added the following lines:

def status
 # Read WSDL and create driver
 driver = SOAP::WSDLDriverFactory.new(WSDL_URI).create_rpc_driver

 driver.options['protocol.http.ssl_config.ca_file'] = 'lib/signing_cert.pem'
 driver.options['protocol.http.ssl_config.ca_file'] = 'lib/intermed_cert.pem'

 # SOAP headers, basic auth credentials, etc.
 driver.headerhandler << HeaderHelper.new

 # Make SOAP call
 driver.GetStatus
end

The call now worked perfectly.  Note that you can set the ca_file option as many times as you need to include multiple certificate files, although generally you should only need one, as typically an issuer will use only one intermediate certificate.

Note that this code doesn’t do any validation of the server’s certificate itself.  If you’d like to do this as well, please check out this SOAP4R wiki entry.

Tags: ,
Posted in Code | No Comments »

CSS Keyboards

October 9th, 2009

New CSS Experiment: CSS Keyboards.

Tags:
Posted in Web | No Comments »

Fixing List Whitespace in IE

October 8th, 2009

After having been annoyed yet again by this issue, I thought I would do a quick write-up on it on my site.  If you are dealing with an issue in IE where a ul/li list has extra vertical whitespace that you can’t get rid of, check it out.

Fixing List Whitespace in IE

Tags: ,
Posted in Web | No Comments »

An Unusual Paragraph

September 30th, 2009

This paragraph is truly unusual.  Look as long and hard as you can, and you will find out why.  Although my gimmick is not obvious, all of you can find it, without any particular skills or schooling.  If you don’t find anything odd at first, don’t worry!  You can think about it a bit and still find a solution.

What is so unusual about this paragraph?

Solution
The letter e is the most common letter in the English language.  There is no letter e anywhere in the paragraph.

(As a side note: this solution box contains twenty-two es.)

Notes
This puzzle and many variations can be found all over the internet.  Unfortunately, once you’ve solved one, you’ve solved them all.

Tags:
Posted in Puzzles | No Comments »

Three Wise Men

September 30th, 2009

A bored king wanted to find out which of his advisers was the wisest, so he summoned his three oldest wise men.

“I am going to sit you in a triangle and blindfold each one of you,” he said, “and paint either a red or a blue dot on your foreheads.  I will then take the blindfolds off, and if you see at least one red dot, you will raise your hand.  The first man to determine the color of his own dot is the wisest.”

The king then blindfolded them and painted a red dot on each man’s forehead.  When the blindfolds were taken off, all three looked at each other and raised their hands.

Ten seconds later one of the wise men proclaimed, “I have a red dot.”

How did he know?

Solution
His thinking was as follows: “If I had a blue dot, the man to my right would see only one red dot, on the forehead of the man to my left.  However, the man to my left raised his hand, so the man to my right would immediately know that his own dot was red.  The same logic would be used by the man on my left.  Neither of them have announced anything, so my own dot must be red.”
Notes
Like many hat puzzles, this puzzle suffers from the “fairness problem”: if our wisest man had indeed been given a blue dot, he would never have been able to win the contest.  For that reason alone, you could argue that his own red dot should be obvious.

Of course, the puzzle doesn’t claim that the king is fair — just bored.

Tags:
Posted in Puzzles | No Comments »

The Perfectly Logical Being

September 29th, 2009

The “perfectly logical being” (PLB) is both the title of my blog and one of my favorite concepts.  Since they are found primarily in logic puzzles, they are never sitting around watching TV or enjoying a cookout.  Instead, they spend their time dividing up cakes that are too small at parties that are too large, narrowly avoiding executions by picking the right colored hat, and trying to weigh ten friends at once without a scale.

What are the attributes of a PLB?  The book How Would You Move Mount Fuji lists them as follows:

  • One-dimensional motivations
  • Quick-thinking, never mistaken
  • Confident that other PLBs follow the same thought process

Personally, I think perfectly logical beings also tend to fall into two distinct groups: the cutthroats and the altruists.

The cutthroats are found in puzzles where a cake will be divided up and you want the biggest piece, or some of you will die and you want to be a survivor, or you’re vying for first place in a contest.  In these puzzles, the assumption is that every participant has the same goal, the same lack of scruples, and (most importantly) the ability to make deductions about what each other participant will do.

The altruists are the opposite.  They pursue any option that reduces the total suffering of the group, even if it ends with them falling off a bridge or being executed by an insane king.  The altruists are a little like a colony of Vulcans.

Neither type of PLB ever considers cheating or bending the rules.  They never change their answers to help a friend, or lie to hurt an enemy.  In fact, they behave nothing like human beings whatsoever.  In my mind, that’s one of the things that makes logic puzzles so interesting.

Posted in Puzzles | No Comments »

Where is the matchmaking?

September 28th, 2009

After having played the Firefight mode in Halo 3: ODST, I’m very disappointed that they weren’t able to include matchmaking.  I’m disappointed because Firefight mode is tons of fun, and the lack of any matchmaking or lobby system means that I won’t get to play nearly as much of it as I would like.

It’s bizarre to me the way people are rationalizing this decision.  Go to any XBox, Halo, or Bungie forum and you’ll find people complaining.  You’ll also find a boatload of people ready with one of these standard retorts: “we knew about this a long time ago and don’t care”, or “you must suck if you don’t have any friends to play with”.  That last one tends to get followed up with either “you would only want to play Firefight with friends anyway”, or “you can look for friends on this forum and play Firefight with them”.  The contradiction inherent in these two statements should be obvious.

Matchmaking is a huge boon to any game, because it allows you to focus on a singular goal, which in this case is playing a round of 4-player Firefight.  It allows you to accomplish that goal by matching you up with the pool of players around the world that have the same goal, long after all of your own friends have moved on to other games, and all those people you added from the forums (who you never really played with anyway) have stopped playing.  It allows you to take yourself and your cousin from out-of-town at 2:30 in the morning and hop into a 4-player game of Firefight, even though none of your friends are awake.  Is there anyone out there that really thinks this isn’t desirable?  Or, more to the point, expected — especially in a console shooter released in 2009?

I know Bungie told us all about this long ago.  And I know (thanks everybody!) that you can play Firefight mode with friends.  But the lack of matchmaking stops this game from being a “pull off the shelf twice a month for the next two years” purchase, and turns it into a “hold onto until Left 4 Dead 2″ rental.

Bummer.

Tags: , ,
Posted in Video Games | No Comments »