problem with perl module Net::SSLeay and client authenticated SSL3

Wed, 12 Jul 2000 09:22:10 -0700 



I have a problem in the following situation:

I have OpenSSL 0.9.5a on AIX 4.3.3.
I use Perl 5.005_03 and the perl module Net::SSLeay 1.05, and after some
effort got the latter to run.

I write my problem here as I know no other forum for Net::SSLeay.

I want to open a client authenticated SSL v3 session to an IBM HTTP Server.

This works fine from Netscape, and I also succeed with 'openssl s_client'
with the following parameters:
  openssl s_client -connect $host:$port -CApath $capath -CAfile $cafile
  -cert $certfile -key $keyfile -ssl3 -ign_eof -quiet

Now I need to do the same thing from perl.

The relevant section of the perl script I use is:

# network connection has been opened sucessfully

$ctx = Net::SSLeay::CTX_new() or die_now("Failed to create SSL_CTX $!");
Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL) and
die_if_ssl_error("F
ailed in CTX_set_options");
Net::SSLeay::CTX_load_verify_locations($ctx, $cafile, $cadir);
die_if_ssl_error("Failed in CTX_load_verify_locations");
Net::SSLeay::CTX_use_PrivateKey_file($ctx, $keyfile,
&Net::SSLeay::FILETYPE_PEM)
;
die_if_ssl_error("Failed in CTX_use_PrivateKey_file $!");
Net::SSLeay::CTX_use_certificate_file($ctx, $certfile,
&Net::SSLeay::FILETYPE_PE
M);
die_if_ssl_error("Failed in CTX_use_certificate_file");
$ssl = Net::SSLeay::new($ctx) or die_now("Failed to create SSL $!");
Net::SSLeay::set_fd($ssl, fileno(S));   # Must use fileno
die_if_ssl_error("Failed in set_fd");
print Net::SSLeay::dump_peer_certificate($ssl);
$res = Net::SSLeay::connect($ssl);
die_if_ssl_error("Failed in connect");
print "Cipher '" . Net::SSLeay::get_cipher($ssl) . "'\n";

Running this script fails at connect, the output is:

Subject Name: NO X509_NAME
Issuer  Name: NO X509_NAME
Failed in connect 14624: 1 - error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3
 alert handshake failure
14624: Failed in connect

In the HTTP server error log I get:

SSL handshake failed, invalid certificate.

But the client certificate file I supply is the same as for 'openssl
s_client'
where it works.

Thanks for any help,
Laurenz Brein

   Telephon: ++43-1-21145/3256    e-mail: [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to