RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Chris Mckenzie
Message
Just to conclude my unanswered rantings, I switched back to using LWP and Crypt::SSLeay. Setting HTTPS_CA_FILE enables peer verification requirements. The HTTPS_CA_DIR setting doesn't work, they all just get ignored regardless of the filenaming, extension or format.
 
Thankfully I only require a single trusted root, so I'm sticking with this solution.
 
Thanks.
 
- Chris
-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 4:35 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'

Something has to be broken here. I even attempted to supply the CRL file.

1) Checked that my CA cert verifies correctly, in the process determine the cert's CDP:

openssl x509 -in cacert.pem -text

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 927650371 (0x374ad243)
        Signature Algorithm: sha1WithRSAEncryption
...
        X509v3 extensions:
            Netscape Cert Type:
                SSL CA, S/MIME CA, Object Signing CA
            X509v3 CRL Distribution Points:
                URI:http://www.007.com/CRL/net1.crl

2) Get the CRL:

wget http://www.007.com/CRL/net1.crl

3) Get the CA cert's subject name hash:

openssl x509 -in cacert.pem -hash -noout
ed524cf5

4) Rename the crl cert to the hash.r0

mv net1.crl ed524cf5.r0

5) Executed my LWP w/ IO::Socket::SSL get attempt to a site utilizing a Server SSL cert issued from this CA.

use IO::Socket::SSL(debug4);
...
my $hashref    = $IO::Socket::SSL::GLOBAL_CONTEXT_ARGS;
$hashref->{'SSL_verify_mode'} = Net::SSLeay::VERIFY_PEER();
$hashref->{'SSL_ca_file'} = '/root/ca/cacert.pem';
my $browser = LWP::UserAgent->new;
$browser->conn_cache(LWP::ConnCache->new);
$browser->cookie_jar( HTTP::Cookies->new() );
my $response = $browser->get('https://www.007.com');

Results in...

SSL connect attempt failederror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
 at /usr/lib/perl5/vendor_perl/5.8.0/LWP/Protocol/http.pm line 35
IO::Socket::INET configuration failed
 at /usr/lib/perl5/vendor_perl/5.8.0/LWP/Protocol/http.pm line 35


If I change:

$hashref->{'SSL_ca_file'} = '/root/ca/cacert.pem';

To:

$hashref->{'SSL_ca_path'} = "/root/ca";

I get:

Invalid certificate authority locations
SSL error:  13951: 1 - error:02001002:system library:fopen:No such file or directory
SSL error:  13951: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
SSL error:  13951: 3 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib at /usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 591


I'm switching back to Crypt::SSLeay and take a 2nd crack at it.

Please, please, please, let me know if this is a known issue that I just couldn't find any information on. It would be greatly appreciated.

Thanks!

- Chris

-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 2:42 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'


Yet another update.
Just upgraded to openssl 9.7g latest, non-beta. No difference. It doesn't explicitly say anywhere that if you don't set Net::SSLeay::X509_V_FLAG_CRL_CHECK, that CRL verification won't be performed. Which sort of makes the point of setting it moot.

Any ideas? I'm getting close to giving up.
Thanks.
- Chris
-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 2:00 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'


Just to follow up, all 3 CA certs in /root/ca/ are pem format and check out fine with openssl x509.
Now, something for the author's of IO::Socket::SSL. There looks to be 2 points of strangeness here:
Why does SSL.pm version 0.96, line 582:
        &Net::SSLeay::CTX_load_verify_locations
            ($ctx, @{$arg_hash}{'SSL_ca_file','SSL_ca_path'}) ||
            return IO::Socket::SSL->error("Invalid certificate authority locations");
;completely bail if peer verification is not disabled, if no CRL certificate is found? Shouldn't the setting SSL_check_crl (line 587) be used prior to Net::SSLeay::CTX_load_verify_locations() being called?

This prompted me to look at the Net::SSLeay docs more closely. (http://search.cpan.org/~sampo/Net_SSLeay.pm-1.25/SSLeay.pm) Net::SSLeay::X509_V_FLAG_CRL_CHECK doesn't seem to have a "X509_V_FLAG_NO_CRL_CHECK". I would have assumed that unless you set the Net::SSLeay::X509_V_FLAG_CRL_CHECK flag, CRL checking would be OFF.

Net::SSLeay::CTX_load_verify_locations() will perform CRL checking and fail unless you've got everything it needs, regardless of whether it's on or not. I believe it should only perform CRL checking when Net::SSLeay::X509_V_FLAG_CRL_CHECK is set.

Does this looks like an openssl bug? Already sound familiar? I'm using openssl 0.9.7a (old I know), does anyone know if this has been fixed since?


BTW, if CRL checking is expected to be off by default, shouldn't the SSL.pm check for 'SSL_check_crl' (line 587) occur before Net::SSLeay::CTX_load_verify_locations (line 582) so the setting would make a difference?

Anyways, thanks for reading my ramblings. I'm going to try and upgrade to the latest stable openssl and see if it makes a difference.

- Chris
-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 12:55 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'


Well I got this much working:
my $hashref    = $IO::Socket::SSL::GLOBAL_CONTEXT_ARGS;
$hashref->{'SSL_verify_mode'} = Net::SSLeay::VERIFY_PEER();
#$hashref->{'SSL_ca_path'} = "/root/ca";
$hashref->{'SSL_ca_file'} = '/root/ca/cert.crt';
HOWEVER, only when I specify the CA cert file will verification work. If I set SSL_ca_path, it results in...
Invalid certificate authority locations
SSL error:  32010: 1 - error:02001002:system library:fopen:No such file or directory
SSL error:  32010: 2 - error:2006D080:BIO routines:BIO_new_file:no such file
SSL error:  32010: 3 - error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
 at /usr/lib/perl5/vendor_perl/5.8.0/IO/Socket/SSL.pm line 580
Is there a CA cert filename extension that should be met if SSL_ca_path is used?
Thanks.
- Chris
-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 8, 2005 11:02 AM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'


Made some progress I think. I'm hoping someone can slap me in the right direction.
Using LWP and IO::Socket::SSL, I should be able to define the SSL constructor's args by setting $GLOBAL_CONTEXT_ARGS after I load the module. The inline source comments mention that IO::Socket::SSL->configure() is called when a new socket is made, which should call IO::Socket::SSL->configure_SSL(), which should merge $GLOBAL_CONTEXT_ARGS over the defaults args. (one of which is Net::SSLeay::VERIFY_NONE() which I need to change)

My problem now is I can't get the Perl syntax working to set IO::Socket::SSL $GLOBAL_CONTEXT_ARGS. This part of SSL.pm's source seems intended to support this kind of usage, it's just not documented anywhere I can find.

It goes something like this:
use LWP::UserAgent;
use IO::Socket::SSL;
my $GLOBAL_CONTEXT_ARGS = new IO::Socket::SSL::GLOBAL_CONTEXT_ARGS (
    'SSL_verify_mode' => 0x02,
    'SSL_ca_path' => '/root/ca/');
...
From the SSL.pm source:
use vars qw(@ISA $VERSION $DEBUG $ERROR $GLOBAL_CONTEXT_ARGS);
BEGIN {
...
    $GLOBAL_CONTEXT_ARGS = {};
...
}
sub configure_SSL {
...
    #Replace nonexistent entries with defaults
    $arg_hash = { %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash };
...
}
I've been struggling to understand how to set this Global variable correctly. I know it's going to be a stupid mistake on my part.

Any help would be greatly appreciated.
Thanks!
- Chris


-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: June 7, 2005 6:50 PM
To: '[hidden email]'
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificat e not verified'


Thanks Brian.
Wow, I'm really pulling my hair out now.
Between LWP with IO::Socket::SSL doesn't have a lot of documented ways to manipulate the sock constructor. Infact I  tried constructing my own IO::Socket::SSL object with various parts set (like SSL_verify_mode), and passing it LWP::ConnCache, but the results never change. With IO::Socket::SSL the connection is established, and client-ssl-warning is present in the header. (I assumed the $key in LWP::ConnCache->deposit() was the host:port of the target peer)

With LWP and Crypt::SSLeay things seemed easier. If I set either $ENV{HTTPS_CA_DIR} or $ENV{HTTPS_CA_FILE}, then peer cert verification is enabled. (without either its 'Peer certificate not verified' all over again) Unfortunately the ability doesn't seem to be all there. I don't know if it's something in the certificate DN subject, but verification success is spotty for me.

Anyone have any problems with using this CA cert for https://mail.istop.com? I get "500 SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed" (I know the cert subject doesn't completely match the host, I'm not checking for this in LWP::UserAgent->get('If-SSL-Cert-Subject' => 'istop.com'))

-----BEGIN CERTIFICATE-----
MIICvzCCAigCAQAwDQYJKoZIhvcNAQEEBQAwgacxCzAJBgNVBAYTAkNBMRAwDgYD
VQQIEwdPbnRhcmlvMQ8wDQYDVQQHEwZPdHRhd2ExITAfBgNVBAoTGERvbmNhc3Rl
ciBDb25zdWx0aW5nIEluYzESMBAGA1UECxMJSVN0b3AuY29tMRUwEwYDVQQDEwxu
cy5pc3RvcC5jb20xJzAlBgkqhkiG9w0BCQEWGHN5c2FkbWluQGRvbmNhc3Rlci5v
bi5jYTAeFw0wMDA3MTExMDQ1NDZaFw0wNTA3MTAxMDQ1NDZaMIGnMQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzEPMA0GA1UEBxMGT3R0YXdhMSEwHwYDVQQK
ExhEb25jYXN0ZXIgQ29uc3VsdGluZyBJbmMxEjAQBgNVBAsTCUlTdG9wLmNvbTEV
MBMGA1UEAxMMbnMuaXN0b3AuY29tMScwJQYJKoZIhvcNAQkBFhhzeXNhZG1pbkBk
b25jYXN0ZXIub24uY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMezoDeo
r/4F7l9R5q58n1QvCpgvOMxB6pR0hWCLFTbRtqXAccETONLho39QLJ4NciknyewP
a5502ae9f/INw1hq9WAwgcXeArA/pCQaVG2k9aZdNY4dWLJbHnHOhxRiyenCS4uo
Lqw3unGQFAgts/TALF88eTao23GKrp5pVRTnAgMBAAEwDQYJKoZIhvcNAQEEBQAD
gYEAO7jOO6BVvD/N9+z4BgjdxdJgo+lFhrWiJ+occRbbadsuVDA4WmFbLuzGANHo
9fILoVtWKFoZSDgls7kquiFU4Tz93o2HKl/1Y1rdzByRt3ND+DuhRk4+SgF3lBvO
lJUVpk7WMD9DYi2HuSrLoOSQH8nqN2/J7UQigBw27j9qJFg=
-----END CERTIFICATE-----


If anyone has any suggestions on the proper way to implement any of this, it would be greatly appreciated. Or which SSL support for LWP I'd be better off with.

Thanks!
- Chris
-----Original Message-----
From: [hidden email] [[hidden email]] On Behalf Of Brian DeGeeter
Sent: June 7, 2005 5:01 PM
To: [hidden email]
Subject: RE: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'


Have you tried setting the verify mode?  It's ignored by default.
From man IO::Socket::SSL:
           SSL_verify_mode
             This option sets the verification mode for the peer certificate.
             The default (0x00) does no authentication.  You may combine 0x01
             (verify peer), 0x02 (fail verification if no peer certificate
             exists; ignored for clients), and 0x04 (verify client once) to
             change the default.





From: [hidden email] [[hidden email]] On Behalf Of Chris Mckenzie
Sent: Tuesday, 07 June, 2005 11:13 AM
To: '[hidden email]'
Subject: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'


Hi all.
I've been making out fairly well with my usage of LWP and IO::Socket::SSL, to the point where I'm trying to include a list of trusted peer server and CA certs to trust.

The only problem is I can't seem to force OpenSSL to drop all non-trusted/verified SSL connections. If I try connecting to a site that I don't current have a trusted root for, the connection handshake is established and all I have to show for it is the response header client-ssl-warning' => 'Peer certificate not verified'.

This of course isn't desirable. I need to force a connection break during the hand shaking, not after the connection is established.

Is there an OpenSSL environment variable I can set to require SSL cert verification?
Thanks!
- Chris