LoraIlieva has asked for the wisdom of the Perl Monks concerning the following question:
Hi! I have the same task to do and the same problem. I am trying to verify ssl sertificate using Net::SSLeay.
As input I have certificate in PEM format and path to the directory with root and intermediate certificates. I read about doing the verification in C (https://www.ibm.com/developerworks/library/l-openssl/), but I can't find equivalents of called C functions. This is what I did:
my $s_cert_filename = '/path/to/cert/mycert.pem'; my $s_chain_dir = '/path/to/root_and_itermediate/certs/'; #Initialization, because I read about it in cpan my $rv = Net::SSLeay::library_init(); if($rv != 1) {die 'library init'}; Net::SSLeay::load_error_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); #Create $ctx object my $ctx = Net::SSLeay::CTX_new or die; #Set where are root and intermediate certs Net::SSLeay::CTX_load_verify_locations($ctx, '', $s_chain_dir) or die_now("CTX load verify loc=`$s_chain_dir' $!"); #Set where is the certificate to be checked $rv = Net::SSLeay::CTX_use_certificate_file($ctx, $s_filename, &Net::SSLeay::FILETYPE_PEM); if($rv != 1) {die 'CTX_use_certificate_file'} #Create $ssl object from $ctx object my $ssl = Net::SSLeay::new($ctx); #Try to get verification result $rv = Net::SSLeay::get_verify_result($ssl); print $rv;
Result is always '0' which means this is valid certificate. The problem is that I tried with both – valid and invalid certificate, and the result is always '0'.
Net::SSLeay::CTX_free($ctx);
Also I read that it's not verifying the certificate, but something called x509_store, so I found other example in C (http://stackoverflow.com/questions/2756553/x509-certificate-verification-in-c). I tryed to translate it to perl:
my $s_cert_filename = '/path/to/cert/mycert.pem'; my $s_chain_dir = '/path/to/root_and_itermediate/certs/'; #Initialization my $rv = Net::SSLeay::library_init(); if($rv != 1) {die 'library init'}; Net::SSLeay::ERR_load_SSL_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); #Create $ctx object my $ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!"); #Set where are root and intermediate certs Net::SSLeay::CTX_load_verify_locations($ctx, '', $s_chain_dir) or die_now("CTX load verify loc=`$s_chain_dir' $!"); #Create $ssl object from $ctx object my $ssl = Net::SSLeay::new($ctx); #Set where is the certificate to be checked $rv = Net::SSLeay::use_certificate_file($ssl, $s_filename, &Net::SSLeay::FILETYPE_PEM); #get x509_store and set flag – to check crl my $x509_store = Net::SSLeay::CTX_get_cert_store($ssl); Net::SSLeay::X509_STORE_set_flags($ctx, &Net::SSLeay::X509_V_FLAG_CRL_CHECK); #Try to get verification result $rv = Net::SSLeay::get_verify_result($ssl); print $rv;
Result is the same – always '0'.
Net::SSLeay::CTX_free($ctx);
I think the problem is somewhere in the usage of those strange data structures and 'get_verify_result' returns '0' to show me that there is an error. I don't know what I am doing wrong. Could someone help me?
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: NET::SSLeay to verify certificates?
by rdfield (Priest) on Oct 04, 2018 at 13:54 UTC |