I am experiencing some issues with a slightly older copy of the IO::Socket::SSL module, it rejects a CA during the handshake where the openssl binary allows it using the same parameters. I was hoping that a fellow monk might point out the obvious for me. Here is what I experience;

root#~ openssl s_client -connect srs.neulevel.biz:700 -cert ./my-cert.
+pem -key ./my-cert.key -CAfile ca_bundle.pem 
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
verify return:1
---
Certificate chain
 0 s:/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/res
+ources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)/CN
+=epp.neustar.biz
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
subject=/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1775 bytes and written 3588 bytes
---
[download]

Using the following perl code:

#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL qw(debug4);

my $client = new IO::Socket::SSL(
          PeerAddr        => "srs.neulevel.biz",
          PeerPort        => 700,
          Proto           => 'tcp',
          SSL_use_cert => 1,
          SSL_key_file => "my-cert.key",
          SSL_cert_file => "my-cert.pem",
          SSL_ca_file => "ca_bundle.pem",
);
           
if (defined $client) {
        print <$client>;
        close $client;
} else {
         warn "I encountered a problem: ",
         IO::Socket::SSL::errstr();
}
warn $! if not defined($client);
[download]

Which produces the following output:

SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES:
+tlsv1 alert unknown ca
 at /root/biz_test.pl line 6
IO::Socket::INET configuration failed
 at /root/biz_test.pl line 6
I encountered a problem: IO::Socket::INET configuration failed at /roo
+t/biz_test.pl line 20.
IO::Socket::SSL: Timeout    ...caught at /root/biz_test.pl line 23.
[download]

It would seem that the error indicates that the ca isn't in the bundle, however the openssl CLI seems to agree with me that it is indeed there.

I know you won't be able to reproduce this on your own machine as EPP access is limited by IP ranges and you don't have access to my IPs or certificates. The ca bundle is the standard Verisign root CA bunlde and my-cert was issued by them. I have tried using ca_path => /etc/ssl/certs to include the equfax certs as well, but I receive the same result.