http://www.perlmonks.org?node_id=1060616

setuk1 has asked for the wisdom of the Perl Monks concerning the following question:

Googled around and i cant get an SSL test using IO::Socket:SSL to work. Can someone point me in the right direction to set up SSL validation against a server running https.
use IO::Socket::SSL qw(debug4); use Data::Dumper; # simple HTTP client --------------------------------------------- +-- my $sock = IO::Socket::SSL->new( # where to connect PeerHost => "mail.google.com", PeerPort => "443", SSL_verify_mode => SSL_VERIFY_PEER, SSL_ca_path => 'C:\\Users\\Simon\\ptest\\certs' ) or die "failed connect or ssl handshake: $!,$SSL_ERROR";
And getting:-
C:\Users\Simon\ptest>t2.pl DEBUG: .../IO/Socket/SSL.pm:1805: new ctx 46151184 DEBUG: .../IO/Socket/SSL.pm:449: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:451: socket connected DEBUG: .../IO/Socket/SSL.pm:469: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:504: using SNI with hostname mail.google.c +om DEBUG: .../IO/Socket/SSL.pm:540: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1411: SSL connect attempt failed with unkn +own error DEBUG: .../IO/Socket/SSL.pm:546: fatal SSL error: SSL connect attempt +failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER +_ CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:449: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:451: socket connected DEBUG: .../IO/Socket/SSL.pm:469: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:507: not using SNI because hostname is unk +nown DEBUG: .../IO/Socket/SSL.pm:540: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1411: SSL connect attempt failed with unkn +own error DEBUG: .../IO/Socket/SSL.pm:546: fatal SSL error: SSL connect attempt +failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER +_ CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:1842: free ctx 46151184 open=46151184 DEBUG: .../IO/Socket/SSL.pm:1850: OK free ctx 46151184 failed connect or ssl handshake: Bad file descriptor,IO::Socket::IP co +nfiguration failed SSL connect attempt failed with unknown error erro +r :14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify +failed at C:\Users\Simon\ptest\t2.pl line 6.

As i am testing against google mail - i downloaded all 3 certs in the key chain and put them in the certs dir. mail.google.com.crt GoogleInternetAuthorityG2.crt GeoTrustGlobalCA.crt Any ideas as to what im doing wrong.

Replies are listed 'Best First'.
Re: Guidance on SSL Cert Checking
by sundialsvc4 (Abbot) on Nov 01, 2013 at 01:53 UTC

    I suggest that you should be very specific in your Google Searches about this problem.   For example, a search for:

    ssl "14090086" "mail.google.com"
    appears to be fruitful, although I have not yet explored the hits.   Clearly, whatever-it-is is not by any means “perl-specific.”   It is, rather ... and this is way too “familiar” to me ... SSL ... being itself.

    Unfortunately, the careful-design of SSL is that it gives nothing away to “what it always presumes to be an attacker.”

    My best advice to you at this point is that ... “this is not a Perl problem.”   It is, however, a most familiar problem . . .   At this point, “Perl” is, in its own way, more-or-less returning to you the same codes that <<PHP | dot-Net | Java | ... >> would (had to have ...) have done, and for the same impenetrable reasons.

    “Been there.   Oh, yes I have.   Done that.”   Keep us informed.