Beefy Boxes and Bandwidth Generously Provided by pair Networks
good chemistry is complicated,
and a little bit messy -LW
 
PerlMonks  

Re: LWP UserAgent - Sending Client Certificate connect to remote host

by Zzenmonk (Sexton)
on May 14, 2013 at 13:26 UTC ( #1033456=note: print w/ replies, xml ) Need Help??


in reply to LWP UserAgent - Sending Client Certificate connect to remote host

Hmmm!

Your stuff looks all wrong to me. The SSL_ca_file refers to the certificate of the CA (certification authority) not the authentication certificate of a client.

From what I know an http authentication can not be done with a certificate. It is done with user credentials (username/passwords) protected by an encrypted communication (https). The certificates only allow to secure your are connected to the correct server.

Depending on your architecture the authentication processes might be implemented with different services. I assume in your case a first layer of authentication is implemented with user credentials and a second security layer is an ssh authentication service. Once you are authenticated with the user credentials, the ssh service validates a user certificate (private key) and a token is passed to the application server. This token will allow you to start an session.

For more help I guess any monks will need more information as to what you want to do.

K

The best medicine against depression is a cold beer!


Comment on Re: LWP UserAgent - Sending Client Certificate connect to remote host
Re^2: LWP UserAgent - Sending Client Certificate connect to remote host
by vsespb (Hermit) on May 14, 2013 at 15:30 UTC
    From what I know an http authentication can not be done with a certificate. It is done with user credentials (username/passwords) protected by an encrypted communication (https).
    No, HTTPS authentication can be done with a certificate. However I am not sure if LWP allows this. And yes SSL_ca_file is possible incorrect option. Documentation for this stuff should be somewhere here http://search.cpan.org/perldoc?IO%3A%3ASocket%3A%3ASSL

      I checked this on CPAN and did not find any option for this. The more I read the more I think we are dealing here with a ssh connection over port 22.

      K

      The best medicine against depression is a cold beer!
Re^2: LWP UserAgent - Sending Client Certificate connect to remote host
by kabachaa (Novice) on May 14, 2013 at 18:56 UTC
    Our primary task is to use the CERTIFICATE and RSA PRIVATE KEY to connect to the host machine, once connected the host machine we need to make multiple https/http request to download some file. So there are no user level credentials that need to be verified just need to user the cert.crt file which has them the CERTIFICATE and RSA PRIVATE KEY. Thanks!

      Hi,

      OK! It is a less sophisticated authorization scheme than the one I though of. LWP will not provide you with the appropriate feature.

      Schematically you authenticate against the openssh daemon and query the web-server afterwards. Meaning the web server shells out to the openssh daemon, captures its return code and authorizes you or not. The implementation details for Apache is here: http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html#accesscontrol

      Net::SSSLeay offers a solution to your problem. Solution descrption at http://search.cpan.org/~mikem/Net-SSLeay-1.54/lib/Net/SSLeay.pod. Search for =>Using client certificates<= in the page.

      Test:Try to open an ssh session against port 443 or 80. If you get a prompt, enter GET+Return. If you see HTML on the console, you can use the module above. Do not worry if the ssh session disconnects.

      K

      The best medicine against depression is a cold beer!

        I went through the documentation for Net::SSLeay and after searching for some good examples which I couldnt find i wrote something like this. I think I am not passing the certificate correctly that why i am getting the Forbidden 403. Using curl i can make the request and get a response from the host machine with the same cert. I would really appreciate if someone could give me any pointers to what I am doing wrong. Thanks!

        curl '-i' '-k' '-H' 'tag: 6-0-2-1' '-H' 'tag2' '-E' 'ops-cert.crt' '- +-data-binary' '@request_e' '--url' 'https://host.com:443/'

        use strict; use warnings; use IO::Socket::SSL qw(debug3); use Net::SSLeay qw(get_https get_https post_https sslcat make_headers +make_form); $Net::SSLeay::ssl_version = 3; $|=1; my $host = 'host.com'; my $port = 443; my $pathCert = '/home/cert/ops-cert-O.crt'; my $pathkey = '/home/cert/keys.key'; my $result =''; my %headers = '' ; ($page, $result, %headers) = get_https($host, 443, '', '', '', '', $p +athCert, $pathkey); print $result ;

        output i get

        do_httpx3(GET,1,host.com:443) at blib/lib/Net/SSLeay.pm (autosplit int +o blib/lib/auto/Net/SSLeay/do_httpx3.al) line 1268. httpx_cat: usessl=1 (host.com:443) at blib/lib/Net/SSLeay.pm (autospli +t into blib/lib/auto/Net/SSLeay/httpx_cat.al) line 1177. Opening connection to host.com:443 (208.90.58.23) at blib/lib/Net/SSLe +ay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al +) line 449. Creating SSL 3 context... Creating SSL connection (context was '425677232')... Setting fd (ctx 425677232, con 425782688)... Entering SSL negotiation phase... Cipher list: DHE-RSA-AES256-SHA, DHE-RSA-AES256-SHA, DHE-DSS-AES256-SH +A, AES256-SHA, KRB5-DES-CBC3-MD5, KRB5-DES-CBC3-SHA, EDH-RSA-DES-CBC3 +-SHA, EDH-DSS-DES-CBC3-SHA, DES-CBC3-SHA, DHE-RSA-AES128-SHA, DHE-DSS +-AES128-SHA, AES128-SHA, KRB5-RC4-MD5, KRB5-RC4-SHA, RC4-SHA, RC4-MD5 +, KRB5-DES-CBC-MD5, KRB5-DES-CBC-SHA, EDH-RSA-DES-CBC-SHA, EDH-DSS-DE +S-CBC-SHA, DES-CBC-SHA, EXP-KRB5-RC2-CBC-MD5, EXP-KRB5-DES-CBC-MD5, E +XP-KRB5-RC2-CBC-SHA, EXP-KRB5-DES-CBC-SHA, EXP-EDH-RSA-DES-CBC-SHA, E +XP-EDH-DSS-DES-CBC-SHA, EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, EXP-KRB5-RC +4-MD5, EXP-KRB5-RC4-SHA, EXP-RC4-MD5\n at blib/lib/Net/SSLeay.pm (aut +osplit into blib/lib/auto/Net/SSLeay/https_cat.al) line 1110. Cipher `DHE-RSA-AES256-SHA' Subject Name: /C=US/ST=California/L=San Bruno/O=Inc Systems/CN=host.co +m Issuer Name: /C=US/ST=California/O=Inc Systems/CN=dev-sds-host.com https_cat 32382: sending 76 bytes... write_all VM at entry=vm_unknown written so far 76:76 bytes (VM=vm_unknown) waiting for reply... got 169:0 bytes (VM=vm_unknown). got 0:169 bytes (VM=vm_unknown). Got 169 bytes. headers ><html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/0.8.54</center> </body> </html> < page >><< http >>><html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/0.8.54</center> </body> </html> <<< at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay +/do_httpx3.al) line 1275.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1033456]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (10)
As of 2014-09-02 23:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite cookbook is:










    Results (34 votes), past polls