Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"TLS hostname validation is disabled" – Streaming API #543

Open
almonk opened this issue Jun 8, 2020 · 3 comments
Open

"TLS hostname validation is disabled" – Streaming API #543

almonk opened this issue Jun 8, 2020 · 3 comments

Comments

@almonk
Copy link

almonk commented Jun 8, 2020

While running EventMachine listening to a streaming PushTopic, I get the following warning printed into the console:

[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details

It's unclear to me where in the dependencies this should be fixed, or whether it can be rectified within restforce itself.

For context, my code is as follows:

    EM.run do
      Signal.trap("TERM") { EM.stop }
      @client.subscription "/topic/topicName", replay: -1  do |message|
          puts message["sobject"]
      end
    end
@scottserok
Copy link

@almonk does this issue faye/faye#524 look relevant?

@scottserok
Copy link

If you've pinned Faye to v0.8.9 then it's my understanding that we don't have any practical options available to ensure certificates are validated during the subscription connection initialization. If not, then update the Faye library to the latest version 1.4 and this warning should go away (I haven't tested this assumption, but this should be true according to Faye's CHANGELOG).

em-http-request is the underlying dependency logging the warning. Here's a snippet of the faye library at v0.8.9 showing how it uses em-http-request. Notice the options variable is hard coded in the method and doesn't include tls option.

# faye/lib/transport/http.rb#42 (v0.8.9)
    def create_request(params)
      version = EventMachine::HttpRequest::VERSION.split('.')[0].to_i
      client  = if version >= 1
                  options = {                 # for em-http-request >= 1.0
                    :inactivity_timeout => 0  # connection inactivity (post-setup) timeout (0 = disable timeout)
                  }
                  EventMachine::HttpRequest.new(@endpoint, options)
                else
                  EventMachine::HttpRequest.new(@endpoint)
                end

      client.post(params)
    end

One way to confirm locally is to reopen the Faye::Transport::Http class and redefine create_request method to set the tls option. Restrart your streaming server and check the logs. I no longer see those warnings when I test this out.

module Faye
  class Transport::Http
    def create_request(params)
      options = { inactivity_timeout: 0, tls: { verify_peer: true } }
      EventMachine::HttpRequest.new(@endpoint, options).post(params)
    end
  end
end

However, reopening classes you do not own is not a practical solution. The main problem as I understand it is that Restforce's streaming implementation is only known to be compatible with version 0.8.9 of the faye gem. Supporting the latest version of Faye solves the current issue and helps for any future patches to Faye that impact the Streaming API client implementation.

@Reidsy
Copy link

Reidsy commented Dec 15, 2021

This issue has been fixed in version 1.4.0 of Faye. This warning can be fixed by upgrading your gems.

At the time of writing:

gem 'faye', '1.4.0'
gem 'restforce', '5.2.1'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@almonk @scottserok @Reidsy