To continue this exciting debate:
On Mon, Oct 01, 2007 at 07:17:17AM -0700, Bill Moseley wrote:
> Yes, according to man LWP:
>
> my $host = $req->uri->host;
> $req->header( 'If-SSL-Cert-Subject', '\QCN=' . $host );
Oops, that doesn't look right. Perhaps:
> $req->header( 'If-SSL-Cert-Subject', qr/\QCN=$host/ );
Hum, but for possible wild card certificates might need something
like:
my $host = $request->uri->host;
my $match_string = "CN=(?:\Q$host\E";
$match_string .= "|\Q$host\E" if $host =~ s/[^.]+(\.[^.]{2,})/*$1/;
$match_string .= ')';
And a note for the archives:
I was wondering how to get SSLeay to use the default compiled-in CA
directory when using LWP/Crypt::SSLeay, which is done by calling
SSL_CTX_set_default_verify_paths() in SSLeay.
It might be handy to use the defaults in situation where you don't
know where the CA certs are installed in a deployed application.
So the question is how to enable searching the defaults?
Looking at SSLeay.xs I noted that
SSL_CTX_set_default_verify_paths(ctx);
was always called, but verify is only enabled if HTTPS_CA_DIR or
HTTPS_CA_FILE is set.
So the effect of setting $ENV{HTTPS_CA_DIR} to *any* value
will enable verification and thus searching in the default verify
paths.
That is, if the CA certs are in, say, /etc/ssl/certs and that happens
to be the default path then
$ENV{HTTPS_CA_DIR} = '/etc/ssl/certs';
and
$ENV{HTTPS_CA_DIR} = '/whatever';
probably work the same.
--
Bill Moseley
[EMAIL PROTECTED]
