I am experiencing some issues with a slightly older copy of the IO::Socket::SSL module, it rejects a CA during the handshake where the openssl binary allows it using the same parameters. I was hoping that a fellow monk might point out the obvious for me. Here is what I experience;
root#~ openssl s_client -connect srs.neulevel.biz:700 -cert ./my-cert.
+pem -key ./my-cert.key -CAfile ca_bundle.pem
CONNECTED(00000003)
depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
verify return:1
depth=0 /C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
verify return:1
---
Certificate chain
0 s:/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/res
+ources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)/CN
+=epp.neustar.biz
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
subject=/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/
+resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)
+/CN=epp.neustar.biz
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 1775 bytes and written 3588 bytes
---
Using the following perl code:
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::SSL qw(debug4);
my $client = new IO::Socket::SSL(
PeerAddr => "srs.neulevel.biz",
PeerPort => 700,
Proto => 'tcp',
SSL_use_cert => 1,
SSL_key_file => "my-cert.key",
SSL_cert_file => "my-cert.pem",
SSL_ca_file => "ca_bundle.pem",
);
if (defined $client) {
print <$client>;
close $client;
} else {
warn "I encountered a problem: ",
IO::Socket::SSL::errstr();
}
warn $! if not defined($client);
Which produces the following output:
SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES:
+tlsv1 alert unknown ca
at /root/biz_test.pl line 6
IO::Socket::INET configuration failed
at /root/biz_test.pl line 6
I encountered a problem: IO::Socket::INET configuration failed at /roo
+t/biz_test.pl line 20.
IO::Socket::SSL: Timeout ...caught at /root/biz_test.pl line 23.
It would seem that the error indicates that the ca isn't in the bundle, however the openssl CLI seems to agree with me that it is indeed there.
I know you won't be able to reproduce this on your own machine as EPP access is limited by IP ranges and you don't have access to my IPs or certificates. The ca bundle is the standard Verisign root CA bunlde and my-cert was issued by them. I have tried using ca_path => /etc/ssl/certs to include the equfax certs as well, but I receive the same result.
Confucius says kill mosquito unless cannon
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.