I'm having a problem getting Crypt::SSLeay to authenticate
server certificates when running under mod_perl on a web server that has mod_ssl
enabled. I'm not sure if this is a bug with Crypt::SSLeay, mod_ssl,
mod_perl, Net::SSLeay, or the underlying OpenSSL libraries, but I'm hoping
someone here will at least be able to narrow down where the problem lies.
Additionally, I'm running under a fairly old Linux distribution (Red Hat AS 3.0)
with Perl 5.8.0, Apache 2.0.40, mod_perl 1.99_07, and libssl 0.9.6, but
given that I haven't seen this problem reported anywhere else, let alone
reported as having been fixed, I'm fairly confident that it still applies to
more recent software versions.
Here's an overview of what I'm trying to
do:
I've written a component that runs on a Perl-based
web portal system residing under mod_perl on an Apache web server configured
with mod_ssl. User authentication is handled by the Perl-based portal
framework, and my component connects to a servlet on a Tomcat server residing on
a separate machine. Due to the sensitive nature of the data being handled,
all connections (from the user to the web server and from the web server to
Tomcat) are being done via HTTPS. For security reasons, I need to validate
the Tomcat server's certificate. I'm using LWP::UserAgent in conjunction
with Crypt::SSLeay, and my Perl component is setting the appropriate environment
variable (HTTPS_CA_FILE and/or HTTPS_CA_DIR, I've tried both) as per the
Crypt::SSLeay documentation.
As a test scenario, I configured Tomcat with a
self-signed certificate, and my component is using a bogus CA bundle. The
expected behavior is that the connection to Tomcat should fail due to the
mismatched certificates.
However, what actually happens is that all requests
sent to Tomcat succeed without even so much as a warning about the invalid
certificate.
In the process of trying to narrow down the cause
of the problem, I tried a number of things.
I tried running the snippet of code handling the
HTTPS request to Tomcat as a standalone script with the exact same (mismatched)
certificates in place. This resulted in the expected behavior
(failure due to invalid server certificate).
I tried disabling mod_ssl and connecting to the web
server via HTTP instead of HTTPS (while still using HTTPS for the connection to
Tomcat). This also resulted in the expected behavior.
I tried running the snippet of code as a standalone
script that gets invoked (in backticks) by my mod_perl component. This
resulted in the expected behavior.
It's only when mod_ssl is enabled that my component
behaves incorrectly and fails to properly validate the server's certificate
against the CA bundle.
My best guess at what's happening is that mod_ssl
is preloading libssl and configuring it according to its own requirements
(and mod_ssl doesn't care about the certificates of other servers), and
when my code runs (later) under mod_perl, the variables I'm sending it are
being completely ignored.
Can this be fixed, or can anyone think of any
viable workarounds for this (that don't involve running my code as a standalone
script)?
Thanks.
