Hi, and thanks

Actually, the gremlin.site site was the one that worked. In configuring the useragent, I had the following parameters set:

    $rp{'ca_cert_file'} = 'rootCA.pem';  
    $rp{'ca_cert_dir'} = '.';
    $rp{'SSL_cert_file'} = 'client.crt';
    $rp{'SSL_key_file'} = 'client.key';
[download]

That is actually the initialization of the hash passed to my package's function new, which uses it thusly:

    my $self = {
        logger       => '',
        user         => $params{user},
        password     => $params{password},
        timeout      => $params{timeout} || 180,
        ssl_set      => 0,
        no_ssl_check => $params{no_ssl_check},
        ca_cert_dir  => $params{ca_cert_dir},
        ca_cert_file => $params{ca_cert_file},
    SSL_cert_file => $params{SSL_cert_file},
    SSL_key_file => $params{SSL_key_file},
    };
    bless $self, $class;
[download]

and the the request function, uses the values stored, like so:

            $self->{ua}->ssl_opts(SSL_ca_file => $self->{ca_cert_file}
+)
                if $self->{ca_cert_file};
            $self->{ua}->ssl_opts(SSL_ca_path => $self->{ca_cert_dir})
                if $self->{ca_cert_dir};
            $self->{ua}->ssl_opts(SSL_cert_file => $self->{SSL_cert_fi
+le})
                if $self->{SSL_cert_file};
            $self->{ua}->ssl_opts(SSL_key_file => $self->{SSL_key_file
+})
                if $self->{SSL_key_file};
[download]

The 'ua' member of $self holds the user agent.

The log quote I provided that showed a successful connection was for gremlin.site. The one showing a failed connection, was for another site, and one which I expected to fail because the certificate it has, while adequate for https when host names are not checked, was not signed by any CA anyone in his right mind would trust. My reason for this is that, RSN I hope to be buying a domain name and proper certificates from a recognized vendor. I used it only to show that the log itself does not actually tell you which data transfer, or message , came from the client and which came from the server, and which of the two was actually responsible for the failure. This is in preparation for dealing with a server that I do not control and behaves in the same way as this second server (not gremlin.site). Now, how would I change that commandline you showed to inform LWP of the CA's root crt that can be used to verify the server's crt file and my client crt?

Also, I noticed that in the session log you showed, the client seemed to be doing most of the work, and that was hardly anything done by the server. I need details that will let me distinguish between a certificate validation failure because the known CA's weren't involved in any way in the creation of the server's certificate from the same failure message being due to the server not sending it's certificate in the first place (maybe an error in the configuration of the server). I set up my two servers specifically to let me see what I get when everything ought to work fine and when there ought to be a failure because the server's certificate could not be verified. I was hoping to see the sort of dialog between machines that one can get, e.g. from Wireshark. I'd use Wireshark to get the dialog I need, except I do not know how to get only the dialog between my workstation and the server I am trying to connect to, without all the other traffic (which seems to be significant), or how to save all that glorious detail to a file that I can send to the administrator of a misbehaving server. And, in Wireshark, I do not know if the server is seeing me at my non-routable IP address or my public IP address (I am connecting to this misbehaving server through a VPN (whose administration remains a mystery to me)

Actually, while we're at it, is there an introductory web page that illustrates the steps in the SSL/TLS handshaking that must occure in order to have a secure channel properly opened?

Thanks

Ted