Hi!
Thank you for being able to join the discussion!
I have been porting simple SOAP client form nodejs to Haskell. Node version
is using simple soap library and is configured to authenticate with
certificate+key such as this:
client.setSecurity(new soap.ClientSSLSecurity(
'cert/yksityisavaintesti.pem',
'cert/uusiTesti.pem',
));
Both files contain ---BEGIN---END style base64 encoded stuff. A certificate
and a key (RSA). Having read the source code the system is expecting PEM
files, so that should be ok. Should the yksityisavaintesti.pem file hold
the whole certificate chain from my certficate "upto" the root and if so,
should the certificates be listed in any specific order in the PEM file? In
some documents it said that the key should be in the file as well? I am
referring to the implementation in Network.SOAP.Transport.HTTP.TLS .
After two weeks' research on Haskell there seems to be no way to make this
work - there is a lot of discussion though and libraries such as SOAP.TLS
etc. But I have not seen anyone with a working solution yet, including
myself.
Ciphers are set fine and the secure communications channel gets
established. When it comes time to send the actual SOAP message itself the
server says that the certificate is not found/available.
I assume that the client certificate is not somehow send along with the
SOAP request.
If I use this library:Network.SOAP.Transport.HTTP.TLS the ciphers are not
set.
So, I reused the code and set the ciphers by rewriting some parts of
makeSettings. We are talking about the makeSettings interface/function:
mgr <- makeSettings (Just cert') (Just key') validateDefault...
If I use getSystemCertificateStore "approach" ( sharedCAStore... ), I can
get the communications channel up and the server's certificate is checked
as expected. I can also make things work out by not using
getSystemCertificateStore but just ignoring the check and letting
onServerCertificate return an empty array.
The certificate and the key are used for authentication only, not for
signing etc. For the nodejs version everything works fine and I think for
the node version it does not check for Server certificate by default: Here
it is:https://github.com/vpulim/node-soap - ClientSSLSecurity section of
the document. Maybe the Haskell version is meant for different things
alltogether? Maybe it should not even do the same thing as the nodejs
version does? Maybe the validateDefault function changes something?
I wonder how the X509 (using OS specific certificate store) and the
aforementioned approach with ..HTTP.TLS work together? I would assume that
if I use the x509 store, the system would rely on that? Do we still need to
load credentials manually with credentialsLoadX509 or how these
things/llibraries /functions work together or are they "separate designs"
from the very beginning? How about callbacks? I assume when we use OS cert
store the ServerCert callback automatically checks whats in the store and
that's what the documentation says, too.
But what about the certificate request callback? Would that be the key to
get things working or am I totally lost? Maybe I am, but maybe I am not
alone :D
Regards
Juuso
--
You received this message because you are subscribed to the Google Groups
"Commercial Haskell" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/commercialhaskell/c8177fcd-1f96-4692-b159-a1d005398173n%40googlegroups.com.
