7

I'm evaluating savon for consuming webservices... but I dont find any information if I can use a SSL client side certificate to authenticate against the server that provides the SOAP webservices. I read the documentation but didn't find anything about it.

Does anyone know if SAVON supports client side certificate authentication?

Regards Fak

Fakada
  • 563
  • 9
  • 20

3 Answers3

14

the latest stable version of Savon (2.2.0 at this moment) supports SSL client certificates via global options. Please refer to the SSL section in the documentation.

Here is some example code, assuming httpclient is used with httpi:

savonConfig = {
    :namespace => "http://...com",
    :endpoint => 'https://...:557/x/b/c',
    #:wsdl => 'https://...:557/x/b/c?wsdl',
    :log_level => :debug,
    :log => true,
    :ssl_verify_mode => :none,
    :ssl_cert_file => 'publicCert.pem',
    :ssl_cert_key_file => 'privateKey.pem',
    :ssl_cert_key_password => '1234',
    :open_timeout => 600,
    :read_timeout => 600
}

client = Savon.client savonConfig

soapBody = {
...
}


calcResponse = client.call(:charge, :message => soapBody)

If you have a pfx certificate/key file, you may have problems using it directly - so you might want to split them out into separate files - see this page for info: Extract public/private key from PKCS12 file for later use in SSH-PK-Authentification

Hope that helps!
Daniel

Community
  • 1
  • 1
rubiii
  • 6,903
  • 2
  • 38
  • 51
  • Many thanks, should have realised that those options were for client certs (assumed they weren't as 'client' wasnt mentioned). I presume you need to use httpclient for this to work too... – Chris Kimpton Jun 29 '13 at 18:24
  • 1
    HTTP options in Savon version 2 are used to create an [HTTPI::Request](http://httpirb.com/#requests). So it depends on the adapter if this is supported. – rubiii Jun 30 '13 at 13:24
2

We are having issues trying to get savon client to work with ssl client auth but at same time bypass host verification....

https://github.com/savonrb/savon/issues/679

client = Savon.client(log_level: :debug,
log: true,
ssl_verify_mode: :none,
ssl_cert_file: (Rails.root + 'signed.cer').to_s,
ssl_cert_key_file: ('private.key').to_s,
wsdl: "https://example.com/Service?wsdl",
endpoint: "https://example.com/Service")

fails with Like HTTPI GET request to wir.dhswir.org (net_http) HTTPI::SSLError: SSL_read: ssl handshake failure

no moe info..

We have tried savon 2.2.0, 2.3.0, and 2.11.0. with slightly varying error messages.

We are using same PEM formatted key and cert to savon and using unix WGET to compare. WGET will fail if we dont pass --no-check-certificate, however if we add that it passes and can do ssl client auth and get access

wget 'https://example.com/CDC/VaccinationService?wsdl'  --certificate=example-int-wi-signed.cer --private-key=private.key -O- --no-check-certificate
bjm88
  • 690
  • 1
  • 8
  • 16
0

Just adding to the previous two answers: if using openssl directly on terminal to extract a .pfx file didn't work for you, then try using this code to break the .pfx in 3 different .pem files:

require 'openssl' # v2.2.0

file = File.open('path_to_file.pfx','r')
password = "mypassword"

pfx_file = OpenSSL::PKCS12.new(file.read,password)

key_file = File.open("key.pem","w")
ca_file = File.open("ca.pem","w")
cert_file = File.open("cert.pem","w")

key_file.write(pfx_file.key.to_s)

# You could choose any of the available CA's, it doesn't need to be the first.
ca_file.write(pfx_file.ca_certs[0].to_s)

cert_file.write(pfx_file.certificate.to_s)

key_file.close
ca_file.close
cert_file.close

With this you should be able to fill the ssl globals in Savon without much worries.

João Luca
  • 19
  • 1
  • 8