XMLRPC against HTTPS endpoints

Bob,

Have a peek at the below links for a solution and extra context,

http://leftshore.wordpress.com/2011/01/28/populating-x509registry/

http://curl.haxx.se/docs/caextract.html

http://www.imperialviolet.org/2012/01/30/mozillaroots.html

-Boris

From: [hidden email] [mailto:[hidden email]] On Behalf Of Bob Calco
Sent: Wednesday, February 08, 2012 6:47 AM
To: [hidden email]
Subject: [vwnc] XMLRPC against HTTPS endpoints

I am getting RootNotTrusted errors (which force me to click 'proceed' all the time).

I know in the abstract the solution is to suck some certs out of a browser cache and register them locally in my dev image, but I haven't really had the time to focus on that. I though perhaps just swallowing the warning for now would be the way to go so I can focus on the dev task at hand (I am deliberately obscuring our app id and api key in the following example):

client := XmlRpcClient url: 'https://<ourAppId>.infusionsoft.com/api/xmlrpc'.
args := #('<ourApiKey' 'Contact' 'optiontypes').
[
  result := client perform: 'DataService.getAppSetting'
    withArguments: args.
] on: Security.X509.RootNotTrusted
  do: [ :ex |
    Transcript show: 'Untrusted!';cr.
    ex resume ].

So I put some exception handling around the call hoping to trap the RootNotTrusted exception and force it to proceed so I didn't have to push the 'proceed' button every time the exception comes up (which will be until I register a cert authority I gather).

Is this a problem I'm going to have in production as well? I'm running this in a workspace on my Windows dev machine but the app will eventually be deployed to a Linux dedicated server.

I'm going to read the Security Guide again and try to solve it locally by registering whatever I need to, but it was an unexpected obstacle to an otherwise productive morning of coding. :)

- Bob

Bob,

I would recommend maintaining your list of trusted CAs in PEM format in the file or method and loading it on system startup, don’t expect that online resource to always be available.

As for why your exception handler didn’t work, have a look at references to SSLBadCertificate and you’ll find a place where RootNotTrusted gets resignaled, so the below should work instead,

[HttpClient get: 'https://ajax.googleapis.com/ajax/libs/jqueryui/1.8.16/jquery-ui.min.js']

  on: SSLBadCertificate

  do: #proceed

HTH,

-Boris

From: Bob Calco [mailto:[hidden email]]
Sent: Wednesday, February 08, 2012 8:38 AM
To: Boris Popov, DeepCove Labs
Cc: [hidden email]
Subject: Re: [vwnc] XMLRPC against HTTPS endpoints

Thanks, that did the trick!

Am I going to have to lather, rinse, repeat when I push to production? Or when I strip the image for deployment can I somehow keep the registered cert bundle?

(This is my first VW project, I'm still learning the ropes.)

The only question that remains is why did the exception handler not work from the workspace? Why was I still forced to click 'Proceed' and the handler fail to log to the Transcript?

- Bob