RE: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'

Brian DeGeeter
Message
Have you tried setting the verify mode?  It's ignored by default.
 
From man IO::Socket::SSL:
 
           SSL_verify_mode
             This option sets the verification mode for the peer certificate.
             The default (0x00) does no authentication.  You may combine 0x01
             (verify peer), 0x02 (fail verification if no peer certificate
             exists; ignored for clients), and 0x04 (verify client once) to
             change the default.


From: [hidden email] [mailto:[hidden email]] On Behalf Of Chris Mckenzie
Sent: Tuesday, 07 June, 2005 11:13 AM
To: '[hidden email]'
Subject: Quick question about 'client-ssl-warning' => 'Peer certificate not verified'

Hi all.
 
I've been making out fairly well with my usage of LWP and IO::Socket::SSL, to the point where I'm trying to include a list of trusted peer server and CA certs to trust.
 
The only problem is I can't seem to force OpenSSL to drop all non-trusted/verified SSL connections. If I try connecting to a site that I don't current have a trusted root for, the connection handshake is established and all I have to show for it is the response header client-ssl-warning' => 'Peer certificate not verified'.
 
This of course isn't desirable. I need to force a connection break during the hand shaking, not after the connection is established.
 
Is there an OpenSSL environment variable I can set to require SSL cert verification?
 
Thanks!
 
- Chris