Self signed SSL certificates do not work

Question

Self signed SSL certificates do not work

georgescumihai opened this issue 6 years ago · 12 comments

starting the pact-mock-service with --ssl will create a self signed certificate, which will be discarded by PactVerificationService, because it is using a session without a delegate, so it is not handling didReceiveAuthenticationChallenge.
To reproduce the issue,

change the start script to use --ssl option
change the base URL of the mockService to "https://localhost"
run the tests.

Possible solution will be to expose the authentication challenge or just a simple bool on the PactVerificationService to allow all insecure certificates.

PactVerificationService


var allowInsecureCertificates: Bool = false


public func urlSession(_ session: URLSession,
                           didReceive challenge: URLAuthenticationChallenge,
                           completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void) {

        guard allowInsecureCertificates,
             challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust,
            let serverTrust = challenge.protectionSpace.serverTrust else {
                completionHandler(.performDefaultHandling, nil)
        }

        let proposedCredential = URLCredential(trust: serverTrust)
        completionHandler(URLSession.AuthChallengeDisposition.useCredential, proposedCredential)
    }

Answer 1 · 2019-08-18T23:02:17.000Z

@georgescumihai Thanks for reporting! I suspect we should have an option on the MockService to use ssl (defaulting to false, and could also switch the url the PactVerificationService is using). I don't have a lot of spare time at the moment, so it might take a while to get around to making the change. PR's welcome :-D

Answer 2 · 2019-08-21T07:51:10.000Z

Honestly I'm not sure why we support SSL for this at all (saying this even though I've added it to Pact JS and others). Can you elaborate on your use case? Might just help us understand if it's something we want to keep and continue supporting.

I've never had the need, and can't see how it helps increase confidence in an integration.

Answer 3 · 2019-08-21T07:54:29.000Z

haha @mefellows, I was wondering the same and looked at pactjs for guidance :-)

Answer 4 · 2019-08-21T07:55:06.000Z

Rookie mistake, never look at JS for guidance on anything 😬

Answer 5 · 2019-08-21T08:23:55.000Z

In our use case, we are computing a hash out of the url, which is included in the http request, so not having https, will make the hash not match with the one computed by the server, and all the api calls will fail.
The server is only working on https at this moment.

Maybe it is not the most common use case, in an ideal case, it should also work on http, so this would not be necessary.

Answer 6 · 2019-08-21T08:25:21.000Z

So can you not a) have the server configurable (i.e. allow an http URL) or b) not include the scheme in the hashing?

Answer 7 · 2019-08-21T08:27:35.000Z

a) at this point not
b) is totally not doable, not only 1 client, other platforms as well, a breaking change

If you do not intend to have this functionality, I can close the PR and we can close this issue.
We still have our fork for this change and will probably work for now.

Answer 8 · 2019-08-21T10:10:18.000Z

Fair enough. I guess when you have a large number of people/companies/use-cases, all roads lead to more features :)

I'm satisfied.

Answer 9 · 2020-02-04T22:49:23.000Z

Was this issue resolved with the already merged PR #74?

Answer 10 · 2020-02-06T04:55:13.000Z

It was, but was overwritten with the next PR 🤕
It is re-introduced with PR #82 and #84

Answer 11 · 2020-02-16T22:09:44.000Z

@georgescumihai @andrewspinks I believe this issue can now finally be closed having expanded implementation and tests merged into master.

Answer 12 · 2020-02-17T09:28:40.000Z

Yes, can be closed.