Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

Which module for SSL certificate access?

by WoodyWeaver (Monk)
on Jun 24, 2010 at 19:47 UTC ( [id://846382]=perlquestion: print w/replies, xml ) Need Help??

WoodyWeaver has asked for the wisdom of the Perl Monks concerning the following question:

My task is to maintain and troubleshoot certificates for a variety of devices that present as SSL servers. Of particular importance are subject and issuer (self-signed certs are bad), expiration date (so that it can be replaced in advance), and commonName, subjectAltNames (so that certificate validation mechanisms can be debugged.

On the one hand,

eval { $sock = Net::SSL->new( PeerAddr => $ip, PeerPort => $port, SSL_Debug => 0, Timeout => 30, ); $sock || warn "No Net::SSL session for IP $ip:$port\n"; }; if ($sock) { my $cert = $sock->get_peer_certificate; if ($cert) { print join( "\t", $host, $interface, $ip, $port, $cert->issuer_name, $cert->subject_name, $cert->not_before, $cert->not_after ), "\n"; } else { print join( "\t", $host, $interface, $ip, $port, 'no certificate found' ), "\n"; } } else { print join( "\t", $host, $interface, $ip, $port, 'no connection found' ), "\n"; }
works well for issuer, subject, and expiration; but
my $client = IO::Socket::SSL->new("$ip:$port"); if ($client) { print join( "\t", $host, $interface, $ip, $port, map( $client->peer_certificate($_), qw(authority owner commonName subjectAltNames) ) ), "\n"; } else { print join( "\t", $host, $interface, $ip, $port, 'no connection' ) +, "\n"; }
seems best at grabbing subjectAltNames (and parsing out the CN).

I believe these are all built on openssl binaries and the Net::SSLeay, but I don't seem to have the hooks I need in a single package.

Rather than making two calls to each server, one via IO::Socket::SSL and one via Net::SSL is there a way to optimize this?

advTHANKSance,

Replies are listed 'Best First'.
Re: Which module for SSL certificate access?
by Khen1950fx (Canon) on Jun 25, 2010 at 08:19 UTC
    I think that there is a way to optimize this. I used Net::SSLeay::OO. I managed to get a server together and a client, but the client needs some more work. The server seems ok.
      Thanks. This machine is a windows box, and I was using ActiveState for the above -- no problem, I also have a cygwin perl build. perl -MCPAN -e "install Net::SSLeay::OO" has lead me into a maze of twisty little packages -- openssl won't compile on me (a mess with fipscannister.o) which leaves me unable to take this approach. So you get good karma, but I'm still inelegant.

      I'm going to try to find another box with a real unix.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://846382]
Approved by Corion
Front-paged by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2024-03-28 13:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found