use IO::Socket::SSL qw(debug3);

Also, http://search.cpan.org/perldoc/Crypt::SSLeay#SSL_diagnostics_and_Debugging lists $ENV{HTTPS_DEBUG} = 1;

Add Capture::Tiny if you can't hook the logging

Thanks

I replaced:

IO::Socket::SSL->require();

by

use IO::Socket::SSL qw(debug3);

And it works. I am not sure if the USE statement instead of the require function makes a difference, but it hasn't had an effect I can see, other than that qw(debug) produced what is closer to what I need. The output looks like the following:

DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 50492112
DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:528: socket connected
DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:583: using SNI with hostname gremlin.site
DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce
+ timeout=180
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=46355584
DEBUG: .../IO/Socket/SSL.pm:2384: ok=1 cert=50404096
DEBUG: .../IO/Socket/SSL.pm:1539: scheme=www cert=50404096
DEBUG: .../IO/Socket/SSL.pm:1549: identity=gremlin.site cn=gremlin.sit
+e alt=
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:702: ssl handshake done
[download]

The above is a communication with a server that behaves properly. The following is from a server that is not, and SSL handshaking fails:

DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 50487248
DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:528: socket connected
DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unk
+nown
DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce
+ timeout=180
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2384: ok=0 cert=50477104
DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt 
+failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certif
+icate verify failed
DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 50487248 open=50487248
DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 50487248 callback
DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 50487248
[download]

What is missing is something that distinguishes what was sent to the server from what was received from the server. I can't tell if the problem lies with the server or the client, or what that problem is. All I know, beyond what I show here is that "openssl s_client" with the appropriate arguments times out, and simply does not get the certificate from the server (alas, I do not control the sever). Is it possible to get that, e.g. by using some debug level other than 3, or perhaps trace, or some other means?

Thanks

Ted

...ted.byers...

Wow, dude, its me again :)

Same deal, it means IO::Socket::SSL couldn't verify the certificate authority of the gremlin.site

It means your local certificate authority .crt bundle (Mozilla::CA or something else) is missing the authority that gremlin.site uses (because not all CA can be trusted, LWP , Mozilla::CA, and Phony SSL Certificates )

Debugging SSL communications has more info on using openssl client to debug ssl communications (like get more info, rule perl out...)

Like if you go into firefox and go to https://rt.perl.org, if you don't have Certificate Authority - Develooper LLC certificate installed, firefox will warn you bad example, they don't use develooper anymore

See, all these "Client-" headers are put there by LWP+helpers, try it on your gremlin.site, hopefully it will say something like unrecognized root authority

$ lwp-request -UuSsEd https://rt.perl.org
GET https://rt.perl.org
User-Agent: lwp-request/6.03 libwww-perl/6.08

200 OK
Cache-Control: no-cache
Connection: close
Date: Sun, 03 Aug 2014 22:52:33 GMT
Pragma: no-cache
Server: Plack::Handler::Starlet
Content-Type: text/html; charset=utf-8
Client-Date: Sun, 03 Aug 2014 23:00:30 GMT
Client-Peer: 207.171.7.176:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
Client-SSL-Cert-Subject: /serialNumber=KOhlTc3Vbi/3MxmsaSvic2A8i8jTkaB
+z/C=US/O=rt.perl.org/OU=GT87157338/OU=See www.rapidssl.com/resources/
+cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=rt.perl.org
Client-SSL-Cipher: AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
Client-Transfer-Encoding: chunked
Link: </NoAuth/images/favicon.png>; rel="shortcut icon"; type="image/p
+ng"
Link: </NoAuth/css/aileron-squished-09504fd500c0b721310b79cd2eb67ac0.c
+ss>; media="all"; rel="stylesheet"; type="text/css"
Link: </NoAuth/css/print.css>; media="print"; rel="stylesheet"; type="
+text/css"
Set-Cookie: RT_SID_perl.443=15287ecac634a287f31aaa7154f0d7da; path=/; 
+secure; HttpOnly
Title: Login
X-Frame-Options: DENY
X-UA-Compatible: IE=edge
[download]

SSL debugging is a pain. IO::Socket::SSL debug output does not make it better, i.e. you get only meaningful information out of it if you already understand SSL and openssl.
To get better help please with your problem please
• provide the version number of IO::Socket::SSL you are using.
• give example code which triggers your problem.
• provide information about the certificate of the server, e.g. issuer, common name, subject alternative names and chain certificates. These information are needed to check why the verification could fail.
As for integrating the debug output with Log4Perl: $IO::Socket::SSL::DEBUG controls both debugging from IO::Socket::SSL and Net::SSLeay (it is an alias to $Net::SSLeay::trace) and both modules simply write to STDERR. So you need to capture this.