I have a script that is failing mysteriously to connect with an HTTPS
site requiring client certificates for authentication. Before I get to
the script, here's the openssl command that allows me to connect to the
site in question:
openssl s_client -connect hostname:443 -cert test.pem
-key testkey.pem -CAfile cacerts.pem -prexit
I can then do a GET on the directory protected with cert auth. Something
key to note is that the connection is not successful unless -CAfile is
present to show the server that my client's certificate (test.pem)
chains to a CA trusted by the server. So I try the following in Perl:
-----BEGIN PERL-----
use strict;
use LWP::UserAgent;
# DEBUGGING SWITCH / LOW LEVEL SSL DIAGNOSTICS
$ENV{HTTPS_DEBUG} = 1;
# CLIENT CERT SUPPORT
$ENV{HTTPS_CERT_FILE} = 'test.pem';
$ENV{HTTPS_KEY_FILE} = 'testkey.pem';
my $ua = new LWP::UserAgent;
my $req = new HTTP::Request('GET', 'https://hostname/protected_path');
my $res = $ua->request($req);
-----END PERL-----
This gives me the following output:
-----BEGIN OUTPUT-----
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:unknown CA
SSL_connect:failed in SSLv3 read finished A
-----END OUTPUT-----
It seems that I need to find a way to include the equivalent of -CAfile,
but the only option I have seen for Crypt::SSLeay that even mentions CAs
relates to client verification of the server's cert:
# CA CERT PEER VERIFICATION
$ENV{HTTPS_CA_FILE} = 'cacerts.pem'; # This does not work
#$ENV{HTTPS_CA_DIR} = 'certs/';
Anyone have any ideas? I am willing to dive in somewhere and patch if I
can, but I need some hand-holding to start since the code involved
appears to me as deep magic.
Thanks,
--
Sean Evans
