Fwd: [twitter-dev] Bad ssl certs on some servers for api.twitter.com/1 ?

[Tim Haines]

Hey Ben and crew,

Is there something I need to do with ASIHTTPRequest to get it nicely accepting the ssl certs that twitter is using on api.twitter.com/1  ?

See thread below fwd'ed from the Twitter dev group.

Cheers,

Tim.

---------- Forwarded message ----------
From: John Adams <j...@twitter.com>
Date: Mon, Nov 16, 2009 at 12:46 PM
Subject: Re: [twitter-dev] Bad ssl certs on some servers for api.twitter.com/1 ?
To: twitter-deve...@googlegroups.com, Tim Haines <tmha...@gmail.com>

On Nov 15, 2009, at 1:16 PM, Tim Haines wrote:

Hi there,

I'm doing some dev work and I'm getting occasional ssl errors when making calls against api.twitter.com/1.  The most recent was posting to favorites/create.

Is it possible some of the servers have bad certificates?  Or is it likely I'm doing something very wrong?

All of our servers have the same certificates; We have had some people report a similar issue before and we verified all of the certificates at that time. I do know of people having validation issues when they don't have current versions of OpenSSL, a current Root CA bundle, or their code has problems processing chained SSL certificates. 

Which program are you using to make requests against api.twitter.com? curl? Firefox?

Twitter's SSL certs are issued by RapidSSL/Equifax. 

Make sure you have the proper root CA certs installed.

If you're using OpenSSL libraries directly, remember that OpenSSL ships without any Root CA certs installed. 

Curl users will have similar problems as well -- you'll want to run mk-ca-bundle to get the proper ca-bundle installed. 

The TTYtter developers have a script that pulls the current CA bundle from Mozilla, here:

http://www.floodgap.com/software/ttytter/mk-ca-bundle.txt

-john

 

[Ben Copsey]

Hi Tim

>
> Is there something I need to do with ASIHTTPRequest to get it nicely accepting the ssl certs that twitter is using on api.twitter.com/1 ?
>
> See thread below fwd'ed from the Twitter dev group.

Someone else reported an issue with seemingly random failures with SSL a month or so ago, it seemed to work some of the time for them, but not always.

Assuming you're seeing something like 'SSL problem (possibily a bad/expired/self-signed certificate)' in your error, to see what the problem is, you could try changing:

reason = [NSString stringWithFormat:@"%@: SSL problem (possibily a bad/expired/self-signed certificate)",reason];

to:

reason = [NSString stringWithFormat:@"%@: SSL problem (possibily a bad/expired/self-signed certificate) Code: %hi",reason,[underlyingError code]];

...in ASHTTPRequest.m (around line 2275 in the latest version), then log [request error].

The meanings of the error codes are defined in SecureTransport.h which is in the Mac SDK, though I think some codes may be different on iPhone OS.

Thanks

Ben

[Tim Haines]

Hi Ben,

Someone from Twitter has since confirmed that some of their servers may be set up incorrectly.

Thanks for the advice on getting more detailed information.

Tim.

--

You received this message because you are subscribed to the Google Groups "ASIHTTPRequest" group.
To post to this group, send email to asihttp...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/asihttprequest?hl=.