On 22 Jul 2008, at 10:59, _V-IT-Systemhaus-Perl-LDAP von extern wrote:
Hi Chris,
[...]
Can you write a simple program just using IO::Socket::SSL
that shows the
problem? If you can, then you should ask the IO::Socket::SSL
developers
about it...
thx for this hint.
A newer version of IO::Socket::SSL (1.14) solved this problem.
Great!
But now I get
cant make initial connection: IO::Socket::SSL: SSL connect attempt
failed
with unknown errorerror:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:
certificate verify failed at ./x line 4, <DATA> line 253.
when using verify => 'require'.
Without this option the connection request succeeds.
What am I missing here?
I read a lot of reports about this error in the web, but never a
solution.
Is this also an IO::Socket::SSL problem?
No, this is just because of the way you're configuring the socket.
Using verify => require means that the server's SSL certificate is
*required* to be checked by IO::Socket::SSL, and if that check fails
the socket is closed.
The common reason for a certificate check to fail is that you don't
have (or don't trust) the signing CA's certificate. In Net::LDAP, you
configure that using either cafile or capath. Without looking at the
code, I can't remember what IO::Socket::SSL methods that ends up
using :-) Note the Net::LDAP manpage talks about certificate
verification.
By default IO::Socket::SSL *probably* uses a default capath pointing
at the CA certificates installed with the copy of OpenSSL that it
uses, so you could try installing your CA certificate in that
directory. (There's a special way to install a CA certificate, check
the OpenSSL docs for all the details.)
Cheers,
Chris
