Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

OpenSSL vs IO::Socket::SSL

by marcussen (Pilgrim)
on Nov 18, 2008 at 02:36 UTC ( #724174=perlquestion: print w/ replies, xml ) Need Help??
marcussen has asked for the wisdom of the Perl Monks concerning the following question:

I am experiencing some issues with a slightly older copy of the IO::Socket::SSL module, it rejects a CA during the handshake where the openssl binary allows it using the same parameters. I was hoping that a fellow monk might point out the obvious for me. Here is what I experience;

root#~ openssl s_client -connect srs.neulevel.biz:700 -cert ./my-cert. +pem -key ./my-cert.key -CAfile ca_bundle.pem CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/ +resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R) +/CN=epp.neustar.biz verify return:1 --- Certificate chain 0 s:/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/res +ources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)/CN +=epp.neustar.biz i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- subject=/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/ +resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R) +/CN=epp.neustar.biz issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1775 bytes and written 3588 bytes ---
Using the following perl code:
#!/usr/bin/perl use strict; use warnings; use IO::Socket::SSL qw(debug4); my $client = new IO::Socket::SSL( PeerAddr => "srs.neulevel.biz", PeerPort => 700, Proto => 'tcp', SSL_use_cert => 1, SSL_key_file => "my-cert.key", SSL_cert_file => "my-cert.pem", SSL_ca_file => "ca_bundle.pem", ); if (defined $client) { print <$client>; close $client; } else { warn "I encountered a problem: ", IO::Socket::SSL::errstr(); } warn $! if not defined($client);
Which produces the following output:
SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES: +tlsv1 alert unknown ca at /root/biz_test.pl line 6 IO::Socket::INET configuration failed at /root/biz_test.pl line 6 I encountered a problem: IO::Socket::INET configuration failed at /roo +t/biz_test.pl line 20. IO::Socket::SSL: Timeout ...caught at /root/biz_test.pl line 23.
It would seem that the error indicates that the ca isn't in the bundle, however the openssl CLI seems to agree with me that it is indeed there.

I know you won't be able to reproduce this on your own machine as EPP access is limited by IP ranges and you don't have access to my IPs or certificates. The ca bundle is the standard Verisign root CA bunlde and my-cert was issued by them. I have tried using ca_path => /etc/ssl/certs to include the equfax certs as well, but I receive the same result.

Confucius says kill mosquito unless cannon

Comment on OpenSSL vs IO::Socket::SSL
Select or Download Code
Re: OpenSSL vs IO::Socket::SSL
by Anonymous Monk on Nov 18, 2008 at 02:50 UTC
    Try debug3.

      It's a slightly older version (0.96) so debug4 which I use is the most verbose option. From perldoc IO::Socket::SSL on the server in question;

      use IO::Socket::SSL qw(debug3); #Print out progress, ciphers, and errors. use IO::Socket::SSL qw(debug4); #Print out everything, including data.

      Just to humor you, here is the output from debug3:

      SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES: +tlsv1 alert unknown ca at biz_test.pl line 6 IO::Socket::INET configuration failed at biz_test.pl line 6 I encountered a problem: IO::Socket::INET configuration failed at biz_ +test.pl line 20. IO::Socket::SSL: Timeout ...caught at biz_test.pl line 23.

      Confucius says kill mosquito unless cannon
Re: OpenSSL vs IO::Socket::SSL
by mniew (Initiate) on Dec 17, 2010 at 22:07 UTC
    Here's a late answer (intended for future searchers...). Try
    my $client = new IO::Socket::SSL( PeerAddr => "srs.neulevel.biz", PeerPort => 700, Proto => 'tcp', SSL_use_cert => 1, SSL_key_file => "my-cert.key", SSL_cert_file => "my-chain.pem", );
    Then make "my-chain.pem" via concatenating your cert, and all intermediate certs until the root cert, all in pem format.

    Because IO::Net::Socket::SSL::new calls Net::SSLeay::CTX_use_certificate_chain_file() who's doc says

    "SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA."

    And just for the sake of completion.. you can use java's keytool to quickly dump a summary of the pem results.
    keytool -printcert my-chain.pem | grep -E '^(Owner|Issuer)' # you should see output like Owner=example.com Issuer=Intermediate A Owner=Intermediate A Issuer=Intermediate B Owner=Intermediate B Issuer=Some Cert authority Root Owner=Some Cert authority Root Issuer=Some Cert authority Root

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://724174]
Approved by ww
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (5)
As of 2014-09-20 13:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (159 votes), past polls