Something has to be broken here. I even attempted to supply
the CRL file.
1) Checked that my CA cert verifies correctly, in the process
determine the cert's CDP:
openssl x509 -in cacert.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 927650371
(0x374ad243)
Signature Algorithm:
sha1WithRSAEncryption
...
X509v3 extensions:
Netscape Cert Type:
SSL CA, S/MIME CA, Object Signing CA
X509v3 CRL Distribution Points:
URI:http://www.007.com/CRL/net1.crl
2) Get the CRL:
wget http://www.007.com/CRL/net1.crl
3) Get the CA cert's subject name hash:
openssl x509 -in cacert.pem -hash -noout
ed524cf5
4) Rename the crl cert to the hash.r0
mv net1.crl ed524cf5.r0
5) Executed my LWP w/ IO::Socket::SSL get attempt to a site
utilizing a Server SSL cert issued from this CA.
use IO::Socket::SSL(debug4);
...
my $hashref =
$IO::Socket::SSL::GLOBAL_CONTEXT_ARGS;
$hashref->{'SSL_verify_mode'} = Net::SSLeay::VERIFY_PEER();
$hashref->{'SSL_ca_file'} = '/root/ca/cacert.pem';
my $browser = LWP::UserAgent->new;
$browser->conn_cache(LWP::ConnCache->new);
$browser->cookie_jar( HTTP::Cookies->new() );
my
$response = $browser->get('https://www.007.com');
Results in...
SSL connect attempt failederror:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
at
/usr/lib/perl5/vendor_perl/5.8.0/LWP/Protocol/http.pm line 35
IO::Socket::INET configuration failed
at
/usr/lib/perl5/vendor_perl/5.8.0/LWP/Protocol/http.pm line 35
If I change:
$hashref->{'SSL_ca_file'} = '/root/ca/cacert.pem';
To:
$hashref->{'SSL_ca_path'} = "/root/ca";
I get:
Invalid certificate authority locations
SSL error: 13951: 1 - error:02001002:system library:fopen:No such
file or directory
SSL error: 13951: 2 -
error:2006D080:BIO routines:BIO_new_file:no such file
SSL error:
13951: 3 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib at
/usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 591
I'm switching back to Crypt::SSLeay and take a 2nd crack at
it.
Please, please, please, let me know if this is a known issue
that I just couldn't find any information on. It would be greatly
appreciated.
Thanks!
- Chris
-----Original Message-----
From:
[hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: June 8, 2005 2:42
PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificat e not verified'
Yet another update.
Just upgraded to
openssl 9.7g latest, non-beta. No difference. It doesn't explicitly say
anywhere that if you don't set Net::SSLeay::X509_V_FLAG_CRL_CHECK, that CRL
verification won't be performed. Which sort of makes the point of setting it
moot.
Any ideas? I'm getting close to giving up.
Thanks.
- Chris
-----Original Message-----
From:
[hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: June 8, 2005 2:00 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificat e not verified'
Just to follow up, all 3 CA certs in /root/ca/ are pem format
and check out fine with openssl x509.
Now, something
for the author's of IO::Socket::SSL. There looks to be 2 points of strangeness
here:
Why does SSL.pm version 0.96, line 582:
&Net::SSLeay::CTX_load_verify_locations
($ctx, @{$arg_hash}{'SSL_ca_file','SSL_ca_path'}) ||
return IO::Socket::SSL->error("Invalid certificate authority locations");
;completely bail if peer verification is not disabled,
if no CRL certificate is found? Shouldn't the setting SSL_check_crl (line 587)
be used prior to Net::SSLeay::CTX_load_verify_locations() being
called?
This prompted me to look at the Net::SSLeay docs more closely.
(http://search.cpan.org/~sampo/Net_SSLeay.pm-1.25/SSLeay.pm)
Net::SSLeay::X509_V_FLAG_CRL_CHECK doesn't seem to have a
"X509_V_FLAG_NO_CRL_CHECK". I would have assumed that unless you set the
Net::SSLeay::X509_V_FLAG_CRL_CHECK flag, CRL checking would be OFF.
Net::SSLeay::CTX_load_verify_locations() will perform CRL
checking and fail unless you've got everything it needs, regardless of whether
it's on or not. I believe it should only perform CRL checking when
Net::SSLeay::X509_V_FLAG_CRL_CHECK is set.
Does this looks like an openssl bug? Already sound familiar?
I'm using openssl 0.9.7a (old I know), does anyone know if this has been fixed
since?
BTW, if CRL checking is expected to be off by default,
shouldn't the SSL.pm check for 'SSL_check_crl' (line 587) occur before
Net::SSLeay::CTX_load_verify_locations (line 582) so the setting would make a
difference?
Anyways, thanks for reading my ramblings. I'm going to try and
upgrade to the latest stable openssl and see if it makes a
difference.
- Chris
-----Original Message-----
From: [hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: June 8, 2005 12:55
PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificat e not verified'
Well I got this much working:
my
$hashref = $IO::Socket::SSL::GLOBAL_CONTEXT_ARGS;
$hashref->{'SSL_verify_mode'} =
Net::SSLeay::VERIFY_PEER();
#$hashref->{'SSL_ca_path'} = "/root/ca";
$hashref->{'SSL_ca_file'} = '/root/ca/cert.crt';
HOWEVER, only when I specify the CA cert file will verification work.
If I set SSL_ca_path, it results in...
Invalid
certificate authority locations
SSL error:
32010: 1 - error:02001002:system library:fopen:No such file or directory
SSL error: 32010: 2 - error:2006D080:BIO
routines:BIO_new_file:no such file
SSL error: 32010: 3 - error:0B084002:x509
certificate routines:X509_load_cert_crl_file:system lib
at
/usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 580
Is there a CA cert filename extension that should be met if SSL_ca_path
is used?
Thanks.
- Chris
-----Original Message-----
From: [hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: June 8, 2005 11:02
AM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificat e not verified'
Made some progress I think. I'm hoping someone can slap me in
the right direction.
Using LWP and IO::Socket::SSL, I
should be able to define the SSL constructor's args by setting
$GLOBAL_CONTEXT_ARGS after I load the module. The inline source comments
mention that IO::Socket::SSL->configure() is called when a new socket is
made, which should call IO::Socket::SSL->configure_SSL(), which should
merge $GLOBAL_CONTEXT_ARGS over the defaults args. (one of which is
Net::SSLeay::VERIFY_NONE() which I need to change)
My problem now is I can't get the Perl syntax working to set
IO::Socket::SSL $GLOBAL_CONTEXT_ARGS. This part of SSL.pm's source seems
intended to support this kind of usage, it's just not documented anywhere I
can find.
It goes something like this:
use
LWP::UserAgent;
use IO::Socket::SSL;
my $GLOBAL_CONTEXT_ARGS = new IO::Socket::SSL::GLOBAL_CONTEXT_ARGS (
'SSL_verify_mode' => 0x02,
'SSL_ca_path' => '/root/ca/');
...
From the SSL.pm source:
use vars qw(@ISA $VERSION $DEBUG $ERROR
$GLOBAL_CONTEXT_ARGS);
BEGIN {
...
$GLOBAL_CONTEXT_ARGS =
{};
...
}
sub configure_SSL {
...
#Replace nonexistent entries with defaults
$arg_hash = { %default_args,
%$GLOBAL_CONTEXT_ARGS, %$arg_hash };
...
}
I've been struggling to
understand how to set this Global variable correctly. I know it's going to be
a stupid mistake on my part.
Any help would be greatly appreciated.
Thanks!
- Chris
-----Original Message-----
From:
[hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: June 7, 2005 6:50 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificat e not verified'
Thanks Brian.
Wow, I'm really pulling
my hair out now.
Between LWP with IO::Socket::SSL
doesn't have a lot of documented ways to manipulate the sock constructor.
Infact I tried constructing my own IO::Socket::SSL object with various
parts set (like SSL_verify_mode), and passing it LWP::ConnCache, but the
results never change. With IO::Socket::SSL the connection is established, and
client-ssl-warning is present in the header. (I assumed the $key in
LWP::ConnCache->deposit() was the host:port of the target peer)
With LWP and Crypt::SSLeay things seemed easier. If I set
either $ENV{HTTPS_CA_DIR} or $ENV{HTTPS_CA_FILE}, then peer cert verification
is enabled. (without either its 'Peer certificate not verified' all over
again) Unfortunately the ability doesn't seem to be all there. I don't know if
it's something in the certificate DN subject, but verification success is
spotty for me.
Anyone have any problems with using this CA cert for https://mail.istop.com? I get
"500 SSL negotiation failed: error:1407E086:SSL
routines:SSL2_SET_CERTIFICATE:certificate verify failed" (I know the cert
subject doesn't completely match the host, I'm not checking for this in
LWP::UserAgent->get('If-SSL-Cert-Subject' => 'istop.com'))
-----BEGIN CERTIFICATE-----
MIICvzCCAigCAQAwDQYJKoZIhvcNAQEEBQAwgacxCzAJBgNVBAYTAkNBMRAwDgYD
VQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExITAfBgNVBAoTGERvbmNhc3Rl
ciBDb25zdWx0aW5nIEluYzESMBAGA1UECxMJSVN0b3AuY29tMRUwEwYDVQQDEwxu
cy5pc3RvcC5jb20xJzAlBgkqhkiG9w0BCQEWGHN5c2FkbWluQGRvbmNhc3Rlci5v
bi5jYTAeFw0wMDA3MTExMDQ1NDZaFw0wNTA3MTAxMDQ1NDZaMIGnMQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMSEwHwYDVQQK
ExhEb25jYXN0ZXIgQ29uc3VsdGluZyBJbmMxEjAQBgNVBAsTCUlTdG9wLmNvbTEV
MBMGA1UEAxMMbnMuaXN0b3AuY29tMScwJQYJKoZIhvcNAQkBFhhzeXNhZG1pbkBk
b25jYXN0ZXIub24uY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMezoDeo
r/4F7l9R5q58n1QvCpgvOMxB6pR0hWCLFTbRtqXAccETONLho39QLJ4NciknyewP
a5502ae9f/INw1hq9WAwgcXeArA/pCQaVG2k9aZdNY4dWLJbHnHOhxRiyenCS4uo
Lqw3unGQFAgts/TALF88eTao23GKrp5pVRTnAgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAO7jOO6BVvD/N9+z4BgjdxdJgo+lFhrWiJ+occRbbadsuVDA4WmFbLuzGANHo
9fILoVtWKFoZSDgls7kquiFU4Tz93o2HKl/1Y1rdzByRt3ND+DuhRk4+SgF3lBvO
lJUVpk7WMD9DYi2HuSrLoOSQH8nqN2/J7UQigBw27j9qJFg=
-----END CERTIFICATE-----
If anyone has any suggestions on the proper way to implement
any of this, it would be greatly appreciated. Or which SSL support for LWP I'd
be better off with.
Thanks!
- Chris
-----Original Message-----
From:
[hidden email] [[hidden email]]
On Behalf Of Brian DeGeeter
Sent: June 7, 2005 5:01 PM
To: [hidden email]
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer
certificate not verified'
Have you tried setting the verify mode? It's ignored by
default.
From man IO::Socket::SSL:
SSL_verify_mode
This option sets the verification mode for the peer certificate.
The default (0x00) does no authentication. You may combine 0x01
(verify peer), 0x02 (fail verification if no peer certificate
exists; ignored for clients), and 0x04 (verify client once) to
change the default.
From: [hidden email] [[hidden email]]
On Behalf Of Chris Mckenzie
Sent: Tuesday, 07 June,
2005 11:13 AM
To: '[hidden email]'
Subject: Quick question about 'client-ssl-warning'
=> 'Peer certificate not verified'
Hi all.
I've been making out fairly
well with my usage of LWP and IO::Socket::SSL, to the point where I'm trying
to include a list of trusted peer server and CA certs to trust.
The only problem is I can't seem to force OpenSSL to drop all
non-trusted/verified SSL connections. If I try connecting to a site that I
don't current have a trusted root for, the connection handshake is established
and all I have to show for it is the response header client-ssl-warning' =>
'Peer certificate not verified'.
This of course isn't desirable. I need to force a connection
break during the hand shaking, not after the connection is
established.
Is there an OpenSSL environment variable I can set to require
SSL cert verification?
Thanks!
- Chris