RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Chris Mckenzie Wed, 08 Jun 2005 09:56:10 -0700

Title: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Well I got this much working:

my $hashref = $IO::Socket::SSL::GLOBAL_CONTEXT_ARGS;
$hashref->{'SSL_verify_mode'} = Net::SSLeay::VERIFY_PEER();
#$hashref->{'SSL_ca_path'} = "/root/ca";
$hashref->{'SSL_ca_file'} = '/root/ca/cert.crt';

HOWEVER, only when I specify the CA cert file will verification work. If I set SSL_ca_path, it results in...

Invalid certificate authority locations
SSL error: 32010: 1 - error:02001002:system library:fopen:No such file or directory
SSL error: 32010: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
SSL error: 32010: 3 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
at /usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 580

Is there a CA cert filename extension that should be met if SSL_ca_path is used?

Thanks.

- Chris

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 11:02 AM
To: 'openssl-users@openssl.org'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Made some progress I think. I'm hoping someone can slap me in the right direction.
Using LWP and IO::Socket::SSL, I should be able to define the SSL constructor's args by setting $GLOBAL_CONTEXT_ARGS after I load the module. The inline source comments mention that IO::Socket::SSL->configure() is called when a new socket is made, which should call IO::Socket::SSL->configure_SSL(), which should merge $GLOBAL_CONTEXT_ARGS over the defaults args. (one of which is Net::SSLeay::VERIFY_NONE() which I need to change)

My problem now is I can't get the Perl syntax working to set IO::Socket::SSL $GLOBAL_CONTEXT_ARGS. This part of SSL.pm's source seems intended to support this kind of usage, it's just not documented anywhere I can find.

It goes something like this:
use LWP::UserAgent;
use IO::Socket::SSL;
my $GLOBAL_CONTEXT_ARGS = new IO::Socket::SSL::GLOBAL_CONTEXT_ARGS (
    'SSL_verify_mode' => 0x02,
    'SSL_ca_path' => '/root/ca/');
...
From the SSL.pm source:
use vars qw(@ISA $VERSION $DEBUG $ERROR $GLOBAL_CONTEXT_ARGS);
BEGIN {
...
    $GLOBAL_CONTEXT_ARGS = {};
...
}
sub configure_SSL {
...
    #Replace nonexistent entries with defaults
    $arg_hash = { %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash };
...
}
I've been struggling to understand how to set this Global variable correctly. I know it's going to be a stupid mistake on my part.

Any help would be greatly appreciated.
Thanks!
- Chris

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: June 7, 2005 6:50 PM
To: 'openssl-users@openssl.org'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Thanks Brian.
Wow, I'm really pulling my hair out now.
Between LWP with IO::Socket::SSL doesn't have a lot of documented ways to manipulate the sock constructor. Infact I tried constructing my own IO::Socket::SSL object with various parts set (like SSL_verify_mode), and passing it LWP::ConnCache, but the results never change. With IO::Socket::SSL the connection is established, and client-ssl-warning is present in the header. (I assumed the $key in LWP::ConnCache->deposit() was the host:port of the target peer)

With LWP and Crypt::SSLeay things seemed easier. If I set either $ENV{HTTPS_CA_DIR} or $ENV{HTTPS_CA_FILE}, then peer cert verification is enabled. (without either its 'Peer certificate not verified' all over again) Unfortunately the ability doesn't seem to be all there. I don't know if it's something in the certificate DN subject, but verification success is spotty for me.

Anyone have any problems with using this CA cert for https://mail.istop.com? I get "500 SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed" (I know the cert subject doesn't completely match the host, I'm not checking for this in LWP::UserAgent->get('If-SSL-Cert-Subject' => 'istop.com'))

If anyone has any suggestions on the proper way to implement any of this, it would be greatly appreciated. Or which SSL support for LWP I'd be better off with.

Thanks!
- Chris
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Brian DeGeeter
Sent: June 7, 2005 5:01 PM
To: openssl-users@openssl.org
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'

Have you tried setting the verify mode? It's ignored by default.
From man IO::Socket::SSL:
           SSL_verify_mode
             This option sets the verification mode for the peer certificate.
             The default (0x00) does no authentication. You may combine 0x01
             (verify peer), 0x02 (fail verification if no peer certificate
             exists; ignored for clients), and 0x04 (verify client once) to
             change the default.

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Chris Mckenzie
Sent: Tuesday, 07 June, 2005 11:13 AM
To: 'openssl-users@openssl.org'
Subject: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'

Hi all.
I've been making out fairly well with my usage of LWP and IO::Socket::SSL, to the point where I'm trying to include a list of trusted peer server and CA certs to trust.

The only problem is I can't seem to force OpenSSL to drop all non-trusted/verified SSL connections. If I try connecting to a site that I don't current have a trusted root for, the connection handshake is established and all I have to show for it is the response header client-ssl-warning' => 'Peer certificate not verified'.

This of course isn't desirable. I need to force a connection break during the hand shaking, not after the connection is established.

Is there an OpenSSL environment variable I can set to require SSL cert verification?
Thanks!
- Chris

RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Reply via email to