My task is to maintain and troubleshoot certificates for a variety of devices that present as SSL servers. Of particular importance are subject and issuer (self-signed certs are bad), expiration date (so that it can be replaced in advance), and commonName, subjectAltNames (so that certificate validation mechanisms can be debugged.
On the one hand,
eval {
$sock = Net::SSL->new(
PeerAddr => $ip,
PeerPort => $port,
SSL_Debug => 0,
Timeout => 30,
);
$sock || warn "No Net::SSL session for IP $ip:$port\n";
};
if ($sock) {
my $cert = $sock->get_peer_certificate;
if ($cert) {
print join( "\t",
$host, $interface, $ip, $port, $cert->issuer_name,
$cert->subject_name, $cert->not_before, $cert->not_after ),
"\n";
} else {
print join( "\t",
$host, $interface, $ip, $port, 'no certificate found' ),
"\n";
}
} else {
print join( "\t", $host, $interface, $ip, $port,
'no connection found' ), "\n";
}
works well for issuer, subject, and expiration; but
my $client = IO::Socket::SSL->new("$ip:$port");
if ($client) {
print join(
"\t", $host,
$interface,
$ip, $port,
map( $client->peer_certificate($_),
qw(authority owner commonName subjectAltNames) )
),
"\n";
} else {
print join( "\t", $host, $interface, $ip, $port, 'no connection' )
+,
"\n";
}
seems best at grabbing subjectAltNames (and parsing out the CN).
I believe these are all built on openssl binaries and the Net::SSLeay, but I don't seem to have the hooks I need in a single package.
Rather than making two calls to each server, one via IO::Socket::SSL and one via Net::SSL is there a way to optimize this?
advTHANKSance,