Security Constraints and SOAP

> Jason Rogers wrote:
>
> > I am trying to access Salesforce.com via SOAP (using their
> > enterprise.wsdl, attached).  I have gotten to the point where I can
> > login and make some requests, but every time I try to query an object
> > I get this message: "Certificate extension
> > Security.X509.BasicConstraints should be critical".  I have no idea
> > what that means.
>
> This is the ExtensionShouldBeCritical notification, that is raised to
> warn about a violation of the X509 specification, which prescribes
> exactly what the message says. Note however that this is just a
> Notification which are normally simply ignored so you must have a
> handler around your code that explicitly catches X509Notifications (or
> any superclass) to even see this message.
>
> I looked at the certificate presented by 'https://www.salesforce.com/'
> and it does indeed look like their certificate is not created properly
> (the extension is not marked as critical) so the warning is correct,
> although most likely you can just ignore it in this case (or modify your
> exception handlers accordingly). It is interesting to see that even in
> 2005 the VeriSign Trust Network is still able to issue a certificate
> with such errors.
>
> > One side note is that nothing worked until I added Salesforce's
> > certificates to Security.X509.X509Registry.
>
> That's just the nature of certificate based authentication in SSL. I
> suggest you read the SSL introduction in the Security guide in the doc/
> directory. These are important aspects of proper use of SSL. Note that
> it's not the Salesforce's certificate that belongs into that registry
> but rather the root CA certificate of its certificate chain which is the
> VeriSign Class 3 certificate.
>
> HTH,
>
> Martin
>