TLS Soap
11 views
Skip to first unread message
Ideal Learning
Jun 22, 2021, 11:21:05 AM6/22/21
to Commercial Haskell
Hi!
Thank you for being able to join the discussion!
I have been porting simple SOAP client form nodejs to Haskell. Node version is using simple soap library and is configured to authenticate with certificate+key such as this:
The certificate and the key are used for authentication only, not for signing etc. For the nodejs version everything works fine and I think for the node version it does not check for Server certificate by default: Here it is:https://github.com/vpulim/node-soap - ClientSSLSecurity section of the document. Maybe the Haskell version is meant for different things alltogether? Maybe it should not even do the same thing as the nodejs version does? Maybe the validateDefault function changes something?
I wonder how the X509 (using OS specific certificate store) and the aforementioned approach with ..HTTP.TLS work together? I would assume that if I use the x509 store, the system would rely on that? Do we still need to load credentials manually with credentialsLoadX509 or how these things/llibraries /functions work together or are they "separate designs" from the very beginning? How about callbacks? I assume when we use OS cert store the ServerCert callback automatically checks whats in the store and that's what the documentation says, too.
But what about the certificate request callback? Would that be the key to get things working or am I totally lost? Maybe I am, but maybe I am not alone :D
Regards
Thank you for being able to join the discussion!
I have been porting simple SOAP client form nodejs to Haskell. Node version is using simple soap library and is configured to authenticate with certificate+key such as this:
client.setSecurity(new soap.ClientSSLSecurity(
'cert/yksityisavaintesti.pem',
'cert/uusiTesti.pem',
));
Both files contain ---BEGIN---END style base64 encoded stuff. A certificate and a key (RSA). Having read the source code the system is expecting PEM files, so that should be ok. Should the
yksityisavaintesti.pem file hold the whole certificate chain from my certficate "upto" the root and if so, should the certificates be listed in any specific order in the PEM file? In some documents it said that the key should be in the file as well? I am referring to the implementation in Network.SOAP.Transport.HTTP.TLS .
After two weeks' research on Haskell there seems to be no way to make this work - there is a lot of discussion though and libraries such as SOAP.TLS etc. But I have not seen anyone with a working solution yet, including myself.
Ciphers are set fine and the secure communications channel gets established. When it comes time to send the actual SOAP message itself the server says that the certificate is not found/available.
I assume that the client certificate is not somehow send along with the SOAP request.
If I use this library:Network.SOAP.Transport.HTTP.TLS the ciphers are not set.
After two weeks' research on Haskell there seems to be no way to make this work - there is a lot of discussion though and libraries such as SOAP.TLS etc. But I have not seen anyone with a working solution yet, including myself.
Ciphers are set fine and the secure communications channel gets established. When it comes time to send the actual SOAP message itself the server says that the certificate is not found/available.
I assume that the client certificate is not somehow send along with the SOAP request.
If I use this library:Network.SOAP.Transport.HTTP.TLS the ciphers are not set.
So, I reused the code and set the ciphers by rewriting some parts of makeSettings. We are talking about the makeSettings interface/function: mgr <- makeSettings (Just cert') (Just key') validateDefault...
If I use getSystemCertificateStore "approach" ( sharedCAStore... ), I can get the communications channel up and the server's certificate is checked as expected. I can also make things work out by not using getSystemCertificateStore but just ignoring the check and letting onServerCertificate return an empty array.
If I use getSystemCertificateStore "approach" ( sharedCAStore... ), I can get the communications channel up and the server's certificate is checked as expected. I can also make things work out by not using getSystemCertificateStore but just ignoring the check and letting onServerCertificate return an empty array.
The certificate and the key are used for authentication only, not for signing etc. For the nodejs version everything works fine and I think for the node version it does not check for Server certificate by default: Here it is:https://github.com/vpulim/node-soap - ClientSSLSecurity section of the document. Maybe the Haskell version is meant for different things alltogether? Maybe it should not even do the same thing as the nodejs version does? Maybe the validateDefault function changes something?
I wonder how the X509 (using OS specific certificate store) and the aforementioned approach with ..HTTP.TLS work together? I would assume that if I use the x509 store, the system would rely on that? Do we still need to load credentials manually with credentialsLoadX509 or how these things/llibraries /functions work together or are they "separate designs" from the very beginning? How about callbacks? I assume when we use OS cert store the ServerCert callback automatically checks whats in the store and that's what the documentation says, too.
But what about the certificate request callback? Would that be the key to get things working or am I totally lost? Maybe I am, but maybe I am not alone :D
Regards
Juuso
Ideal Learning
Jun 23, 2021, 2:17:35 AM6/23/21
to Commercial Haskell
I think I need to construct body and header from scratch instead of using the more specialized libraries as there is a need to manipulate the header for the proper content type
application/xop+xml for the "outer" part of the message (MTOM) with attachments. It may well be that this is the reason for the server complaining "not finding a certificate" or not.
Quite a challenge anyway to find the right libraries for the job, but will get there eventually :)
Quite a challenge anyway to find the right libraries for the job, but will get there eventually :)
Message has been deleted
Ideal Learning
Jun 23, 2021, 10:21:02 AM6/23/21
to Commercial Haskell
It looks as if onCertificateRequest (hook) callback is never called. Is there somebody using the API with success? onServerCertificate is called as expected. If it is not called then very likely the server never receives it.
Regards
Juuso
Reply all
Reply to author
Forward
0 new messages