in reply to Re^2: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
in thread Can Log4Perl integrated with LWP log SSL/TLS handshaking?

...ted.byers...

Wow, dude, its me again :)

Same deal, it means IO::Socket::SSL couldn't verify the certificate authority of the gremlin.site

It means your local certificate authority .crt bundle (Mozilla::CA or something else) is missing the authority that gremlin.site uses (because not all CA can be trusted, LWP , Mozilla::CA, and Phony SSL Certificates )

Debugging SSL communications has more info on using openssl client to debug ssl communications (like get more info, rule perl out...)

Like if you go into firefox and go to https://rt.perl.org, if you don't have Certificate Authority - Develooper LLC certificate installed, firefox will warn you bad example, they don't use develooper anymore

See, all these "Client-" headers are put there by LWP+helpers, try it on your gremlin.site, hopefully it will say something like unrecognized root authority 

$ lwp-request -UuSsEd https://rt.perl.org
GET https://rt.perl.org
User-Agent: lwp-request/6.03 libwww-perl/6.08

200 OK
Cache-Control: no-cache
Connection: close
Date: Sun, 03 Aug 2014 22:52:33 GMT
Pragma: no-cache
Server: Plack::Handler::Starlet
Content-Type: text/html; charset=utf-8
Client-Date: Sun, 03 Aug 2014 23:00:30 GMT
Client-Peer: 207.171.7.176:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
Client-SSL-Cert-Subject: /serialNumber=KOhlTc3Vbi/3MxmsaSvic2A8i8jTkaB
+z/C=US/O=rt.perl.org/OU=GT87157338/OU=See www.rapidssl.com/resources/
+cps (c)11/OU=Domain Control Validated - RapidSSL(R)/CN=rt.perl.org
Client-SSL-Cipher: AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
Client-Transfer-Encoding: chunked
Link: </NoAuth/images/favicon.png>; rel="shortcut icon"; type="image/p
+ng"
Link: </NoAuth/css/aileron-squished-09504fd500c0b721310b79cd2eb67ac0.c
+ss>; media="all"; rel="stylesheet"; type="text/css"
Link: </NoAuth/css/print.css>; media="print"; rel="stylesheet"; type="
+text/css"
Set-Cookie: RT_SID_perl.443=15287ecac634a287f31aaa7154f0d7da; path=/; 
+secure; HttpOnly
Title: Login
X-Frame-Options: DENY
X-UA-Compatible: IE=edge

[download]

Replies are listed 'Best First'.
Re^4: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
by ted.byers (Monk) on Aug 04, 2014 at 01:18 UTC

    Hi, and thanks

    Actually, the gremlin.site site was the one that worked. In configuring the useragent, I had the following parameters set:

        $rp{'ca_cert_file'} = 'rootCA.pem';  
    $rp{'ca_cert_dir'} = '.';
    $rp{'SSL_cert_file'} = 'client.crt';
    $rp{'SSL_key_file'} = 'client.key';

    [download]

    That is actually the initialization of the hash passed to my package's function new, which uses it thusly:

        my $self = {
        logger       => '',
        user         => $params{user},
        password     => $params{password},
        timeout      => $params{timeout} || 180,
        ssl_set      => 0,
        no_ssl_check => $params{no_ssl_check},
        ca_cert_dir  => $params{ca_cert_dir},
        ca_cert_file => $params{ca_cert_file},
    SSL_cert_file => $params{SSL_cert_file},
    SSL_key_file => $params{SSL_key_file},
    };
    bless $self, $class;

    [download]

    and the the request function, uses the values stored, like so:

                $self->{ua}->ssl_opts(SSL_ca_file => $self->{ca_cert_file}
+)
                if $self->{ca_cert_file};
            $self->{ua}->ssl_opts(SSL_ca_path => $self->{ca_cert_dir})
                if $self->{ca_cert_dir};
            $self->{ua}->ssl_opts(SSL_cert_file => $self->{SSL_cert_fi
+le})
                if $self->{SSL_cert_file};
            $self->{ua}->ssl_opts(SSL_key_file => $self->{SSL_key_file
+})
                if $self->{SSL_key_file};

    [download]

    The 'ua' member of $self holds the user agent.

    The log quote I provided that showed a successful connection was for gremlin.site. The one showing a failed connection, was for another site, and one which I expected to fail because the certificate it has, while adequate for https when host names are not checked, was not signed by any CA anyone in his right mind would trust. My reason for this is that, RSN I hope to be buying a domain name and proper certificates from a recognized vendor. I used it only to show that the log itself does not actually tell you which data transfer, or message , came from the client and which came from the server, and which of the two was actually responsible for the failure. This is in preparation for dealing with a server that I do not control and behaves in the same way as this second server (not gremlin.site). Now, how would I change that commandline you showed to inform LWP of the CA's root crt that can be used to verify the server's crt file and my client crt?

    Also, I noticed that in the session log you showed, the client seemed to be doing most of the work, and that was hardly anything done by the server. I need details that will let me distinguish between a certificate validation failure because the known CA's weren't involved in any way in the creation of the server's certificate from the same failure message being due to the server not sending it's certificate in the first place (maybe an error in the configuration of the server). I set up my two servers specifically to let me see what I get when everything ought to work fine and when there ought to be a failure because the server's certificate could not be verified. I was hoping to see the sort of dialog between machines that one can get, e.g. from Wireshark. I'd use Wireshark to get the dialog I need, except I do not know how to get only the dialog between my workstation and the server I am trying to connect to, without all the other traffic (which seems to be significant), or how to save all that glorious detail to a file that I can send to the administrator of a misbehaving server. And, in Wireshark, I do not know if the server is seeing me at my non-routable IP address or my public IP address (I am connecting to this misbehaving server through a VPN (whose administration remains a mystery to me)

    Actually, while we're at it, is there an introductory web page that illustrates the steps in the SSL/TLS handshaking that must occure in order to have a secure channel properly opened?

    Thanks

    Ted

[reply]
[d/l]
[select]
[reply]

In Section Seekers of Perl Wisdom