Please, can anyone help me with this? I tried on lib...@perl.org list but with no luck (so far).
I'd like to restrict the set of CAs LWP is using for SSL connections. Also what does this: "The Crypt::SSLeay package provides Net::SSL" (http://search.cpan.org/~dland/Crypt-SSLeay-0.57/SSLeay.pm) mean? Is Net::SSL a "virtual package"? Is there such a concept in Perl? I'd think so, but here: http://search.cpan.org/~dland/Crypt-SSLeay-0.57/lib/Net/SSL.pm they say: "Net::SSL is implemented by subclassing IO::Socket::INET". So it doesn't sound like a "virtual package". STF -------- Original Message -------- Subject: How to restrict the set of CAs? (HTTPS_CA_FILE, HTTPS_CA_DIR) Date: Mon, 01 Feb 2010 15:54:43 +0100 From: "Stanisław T. Findeisen" <sf181...@gmail.com> To: lib...@perl.org Hello How to restrict the set of CA certificates this library uses to validate server (peer) certificates? I tried this simple program: #!/usr/bin/perl use warnings; use strict; use LWP::UserAgent; $ENV{HTTPS_VERSION} = 3; $ENV{HTTPS_DEBUG} = 1; $ENV{HTTPS_CA_DIR} = '/var/log/'; $ENV{HTTPS_CA_FILE} = '/etc/ssl/certs/Wells_Fargo_Root_CA.pem'; print('LWP version: ' . ($LWP::VERSION) . "\n"); my $ua = LWP::UserAgent->new; my $req = HTTP::Request->new(GET => 'https://sourceforge.net/account/login.php'); my $res = $ua->request($req); print ("Status: " . ($res->status_line) . "\n"); if ($res->is_success) { print ('issuer : ' . ($res->header('Client-SSL-Cert-Issuer')) . "\n"); print ('subject : ' . ($res->header('Client-SSL-Cert-Subject')) . "\n"); print ('cipher : ' . ($res->header('Client-SSL-Cipher')) . "\n"); } but the output is: LWP version: 5.813 SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A Status: 200 OK issuer : /C=US/O=Equifax/OU=Equifax Secure Certificate Authority subject : /C=US/O=sourceforge.net/OU=3754508056/OU=See www.geotrust.com/resources/cps (c)09/OU=Domain Control Validated - QuickSSL(R)/CN=sourceforge.net cipher : RC4-MD5 If I, however, connect to a local site with self-signed certificate I get this: SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL_connect:SSLv3 read server hello A SSL3 alert write:fatal:bad certificate SSL_connect:error in SSLv3 read server certificate B SSL_connect:before/connect initialization SSL_connect:SSLv2 write client hello A SSL_connect:failed in SSLv2 read server hello A Status: 500 SSL negotiation failed: which is nice. So, it looks like these settings: $ENV{HTTPS_CA_DIR} = '/var/log/'; $ENV{HTTPS_CA_FILE} = '/etc/ssl/certs/Wells_Fargo_Root_CA.pem'; are ineffective? I am setting $ENV{HTTPS_CA_DIR} to '/var/log/' so that it is set to something valid but with no certificates. Setting this to undef or skipping this line doesn't help. What's wrong? (Wells_Fargo_Root_CA.pem doesn't look like Equifax.) Am I using Crypt::SSLeay? How to know that? I know 5.813 is not the newest version but this is the one in the current Debian GNU/Linux distro... STF http://eisenbits.homelinux.net/~stf/ OpenPGP: DFD9 0146 3794 9CF6 17EA D63F DBF5 8AA8 3B31 FE8A -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
