Re: Problems with Crypt::SSLeay

Fri, 05 Jan 2001 06:53:55 -0800 


Joshua Chamas wrote:
> 
> Troy Carter wrote:
> >
> > We have a checkpoint firewall which requires authentication via https.
> > I wrote a perl script using Crypt::SSLeay, LWP (and openssl) which did
> > the authentication from the command line.  It worked great for several
> > months, but recently has stopped working -- now it times out as it tries
> > to make the initial SSL connection.   Here's the code:
> >
> > $use LWP::UserAgent;
> 
> I have not touched the cert stuff much other than too
> get rid of a memory leak.  It seems that the variable
> here is your firewall, can you confirm whether a
> normal web browser works with it for HTTPS ?

Yes, it works fine using a normal browser with HTTPS.  Since I
originally posted the message, I figured out that the firewall was
changed from a Solaris box running checkpoint-1 to a RH Linux box
running the same software (they tell me it is identical to the software
on the solaris box, but...) -- this is when I started having the
problem.  I did the following debugging:

(1) Used the cli.cpp client example in the openssl source tree -- this
would not connect at first, it displayed the same behavior as my perl
script (just hung there after the initial SSL_write -- it got the server
certificate and sucessfully got through the SSL_write, but then seemed
to hang on the SSL_read).  But, I changed the line

meth = SSLv2_client_method(); to meth = SSLv3_client_method();

And then it connected just fine and I was able to GET / with no
problems.

(2) I grabbed the latest Crypt-SSLeay and set DEFINE_SSL_STATE to 1 (and
used LWP::debug qw(+);), and reran the program, and here is the
debugging output:

[tcarter@fletch tcarter]$ ./ppl_test
LWP::UserAgent::new: ()
LWP::UserAgent::request: ()
LWP::UserAgent::simple_request: GET https://<our firewall server here>/
LWP::UserAgent::_need_proxy: Not proxied
LWP::Protocol::http::request: ()
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:error in SSLv2/v3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
Can't call method "request" on an undefined value at
/usr/lib/perl5/site_perl/5.005/LWP/UserAgent.pm line 227.

It hangs for 20-30 seconds between the last SSL_connect::SSLv3 message
and the LWP message at the end. I hadn't gotten that final error using
Crypt-SSLeay 0.16 (which doesn't have the debug flag) -- using 0.16, the
request would timeout (as I mentioned in my first message).  I upgraded
libwww-perl (to 5.49) and the same error results.  If I run an stunnel
to the SSL port and change the perl code to make http requests to the
stunnel'd port on localhost, everything works fine.  I had the sysadmin
watch the firewall logs as I try to connect, and he shows me connecting
with no error messages (and the just not doing anything else).  


Is this a Crypt::SSLeay problem or buggy SSLv3 implementation in the
checkpoint software? Any other tests I should try?  I would like to know
what the problem is with the perl script, but maybe I'll try to hack the
cli.cpp to do what I want (but that requires learning some C/C++ :) ). 
Thanks for your response!

-Troy

PS -- a perhaps separate issue: I also have a RH7.0 box (with Perl 5.6)
that I have been using to test this problem -- the same issues existed
with Crypt::SSLeay 0.16, LWP 5.47.  So I tried to install Crypt::SSLeay
0.18 and it compiled and installed without a complaint, but then when I
try to run the script, I get a:
LWP::UserAgent::request: Simple response: Not Implemented
501 (Not Implemented) Protocol scheme 'https' is not supported
I made sure to use kgcc to compile, but that didn't make a difference --
any suggestions?

> 
> If you set #define DEBUG_SSL_STATE       0
> to 1 in SSLeay.xs in the .18 build, you'll get more
> debugging information.  Also set LWP::Debug qw(+);
> 
> Do you see anything more in the trace to go on?
> 
> -- Josh

-- 
---------------------
Troy Carter
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to