April 13, 2016
Back in module three at Turing when I started working on a personal project to build an air quality alerting application in Rails. I began by pulling in the Breezometer API, and per their documentation made my calls using HTTPS. Unfortunately, I kept getting an SSL certificate error: SSL_connect returned=1 errno=0 state=error: certificate verify failed. It turns out many of my peers were also having issues with SSL certificate problems when accessing other APIs for their projects. Most of them had resolved their errors by updating Ruby and RVM or updating the openssl gem. One person updated their certificates by following the steps in this article. I also discovered this packaged cron job called openssl-osx-ca that will keep certificates up to date in the OSX keychain.
After six hours of reinstalling Ruby, Rails, RVM, and recklessly trying many different solutions on Stack Overflow, I decided to call the Breezometer API with regular old HTTP so I could actually make headway on my project.
I had a meeting with my mentor the next day, and I told him of my woes. He showed me this website from Qualys SSL Labs that runs metrics on a web server and gives it a letter grade based on many parameters like certificate chain completeness or what cryptographic algorthms they use, and tells you about any issues. It turns out that the Breezometer API has an incomplete certificate chain (see the complete report here, it got a grade B). I was relieved to find out that I wasn't doing something horribly wrong in my code, but it was actually the server that was giving me trouble. I wish I had known about this site earlier, so I made a mental note to test any APIs I was going to use first before writing any code.
This week, I am working on a development team for an application called Looking For Me, a site that pulls programming related jobs for Turing grads to peruse. I decided to work on a feature to add more jobs with the Authentic Jobs API. So, before writing any code, I ran the SSL server test for this API. The Authentic Jobs API got a grade B because they support weak Diffie-Hellman (DH) key exchange parameters which was one the first public key exchange algorithms published in the 1970s and are vulnerable to Logjam attacks.
I always learn so much from the SSL server test reports, and I will continue getting a report before using any API.
...back to posts