OpenSSL vs IO::Socket::SSL

marcussen has asked for the wisdom of the Perl Monks concerning the following question:

I am experiencing some issues with a slightly older copy of the IO::Socket::SSL module, it rejects a CA during the handshake where the openssl binary allows it using the same parameters. I was hoping that a fellow monk might point out the obvious for me. Here is what I experience;

root#~ openssl s_client -connect srs.neulevel.biz:700 -cert ./my-cert.
+pem -key ./my-cert.key -CAfile ca_bundle.pem 
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
verify return:1
---
Certificate chain
 0 s:/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/res
+ources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)/CN
+=epp.neustar.biz
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
subject=/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1775 bytes and written 3588 bytes
---
[download]

Using the following perl code:

#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL qw(debug4);

my $client = new IO::Socket::SSL(
          PeerAddr        => "srs.neulevel.biz",
          PeerPort        => 700,
          Proto           => 'tcp',
          SSL_use_cert => 1,
          SSL_key_file => "my-cert.key",
          SSL_cert_file => "my-cert.pem",
          SSL_ca_file => "ca_bundle.pem",
);
           
if (defined $client) {
        print <$client>;
        close $client;
} else {
         warn "I encountered a problem: ",
         IO::Socket::SSL::errstr();
}
warn $! if not defined($client);
[download]

Which produces the following output:

SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES:
+tlsv1 alert unknown ca
 at /root/biz_test.pl line 6
IO::Socket::INET configuration failed
 at /root/biz_test.pl line 6
I encountered a problem: IO::Socket::INET configuration failed at /roo
+t/biz_test.pl line 20.
IO::Socket::SSL: Timeout    ...caught at /root/biz_test.pl line 23.
[download]

It would seem that the error indicates that the ca isn't in the bundle, however the openssl CLI seems to agree with me that it is indeed there.

I know you won't be able to reproduce this on your own machine as EPP access is limited by IP ranges and you don't have access to my IPs or certificates. The ca bundle is the standard Verisign root CA bunlde and my-cert was issued by them. I have tried using ca_path => /etc/ssl/certs to include the equfax certs as well, but I receive the same result.

Confucius says kill mosquito unless cannon

Comment on OpenSSL vs IO::Socket::SSL Select or Download Code

Replies are listed 'Best First'.
Re: OpenSSL vs IO::Socket::SSL by Anonymous Monk on Nov 18, 2008 at 02:50 UTC
Try debug3.	[reply]
Re^2: OpenSSL vs IO::Socket::SSL by marcussen (Pilgrim) on Nov 18, 2008 at 04:33 UTC
It's a slightly older version (0.96) so debug4 which I use is the most verbose option. From perldoc IO::Socket::SSL on the server in question; `use IO::Socket::SSL qw(debug3); #Print out progress, ciphers, and errors. use IO::Socket::SSL qw(debug4); #Print out everything, including data.` [download] Just to humor you, here is the output from debug3: `SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES: +tlsv1 alert unknown ca at biz_test.pl line 6 IO::Socket::INET configuration failed at biz_test.pl line 6 I encountered a problem: IO::Socket::INET configuration failed at biz_ +test.pl line 20. IO::Socket::SSL: Timeout ...caught at biz_test.pl line 23.` [download] Confucius says kill mosquito unless cannon	[reply] [d/l] [select]
Re: OpenSSL vs IO::Socket::SSL by mniew (Initiate) on Dec 17, 2010 at 22:07 UTC
Here's a late answer (intended for future searchers...). Try `my $client = new IO::Socket::SSL( PeerAddr => "srs.neulevel.biz", PeerPort => 700, Proto => 'tcp', SSL_use_cert => 1, SSL_key_file => "my-cert.key", SSL_cert_file => "my-chain.pem", );` [download] Then make "my-chain.pem" via concatenating your cert, and all intermediate certs until the root cert, all in pem format. Because IO::Net::Socket::SSL::new calls Net::SSLeay::CTX_use_certificate_chain_file() who's doc says "SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA." And just for the sake of completion.. you can use java's keytool to quickly dump a summary of the pem results. `keytool -printcert my-chain.pem \| grep -E '^(Owner\|Issuer)' # you should see output like Owner=example.com Issuer=Intermediate A Owner=Intermediate A Issuer=Intermediate B Owner=Intermediate B Issuer=Some Cert authority Root Owner=Some Cert authority Root Issuer=Some Cert authority Root` [download]	[reply] [d/l] [select]

Back to Seekers of Perl Wisdom