in reply to Re^3: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
in thread Can Log4Perl integrated with LWP log SSL/TLS handshaking?
I have kept at it since I last posted data. Here is what I see in the log that is produced:
DEBUG: .../IO/Socket/SSL.pm:2503: new ctx 54371264 DEBUG: .../IO/Socket/SSL.pm:526: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:528: socket connected DEBUG: .../IO/Socket/SSL.pm:550: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:586: not using SNI because hostname is unk +nown DEBUG: .../IO/Socket/SSL.pm:634: set socket to non-blocking to enforce + timeout=180 DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w +ants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w +ants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:657: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:667: waiting for fd to become ready: SSL w +ants a read first DEBUG: .../IO/Socket/SSL.pm:687: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:2384: ok=0 cert=54354928 DEBUG: .../IO/Socket/SSL.pm:647: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1757: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:653: fatal SSL error: SSL connect attempt +failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certif +icate verify failed DEBUG: .../IO/Socket/SSL.pm:2537: free ctx 54371264 open=54371264 DEBUG: .../IO/Socket/SSL.pm:2542: free ctx 54371264 callback DEBUG: .../IO/Socket/SSL.pm:2549: OK free ctx 54371264 2014/08/04 16:40:45> [http client] communication error: 500 Can't conn +ect to 195.160.170.115:8443 (certificate verify failed) 500 Can't connect to 195.160.170.115:8443 (certificate verify failed)
I see two disconcerting things. First, I see "not using SNI because hostname is unknown". I do not know if this is a fatal error, or if there is anything I can do about it. Second, and what is the main, the fatal error, I see: "fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" Would I be right in assuming that the three lines "waiting for fd to become ready: SSL wants a read first" represent three attempts to get the server's certificate? Would I be right in thinking that this is due to the sever not sending it's certificate? If so, what reasons may be behind that certificate not being sent? Is this exchange supposed to happen before or after the client sends the client certificate? I ask because I do not see anything that obviously related to the client sending it's own certificate.
I have also succeeded in getting the server's certificate. Here is most of what openssl tells me about it:
ted@linux-jp04:~/Work/Projects/FirstData> openssl s_client -connect 19 +5.160.170.115:8443 -showcerts CONNECTED(00000003) depth=1 C = LV, ST = Latvia, L = Riga, O = xxxxxxxxxxxx CN = ECOMM-tes +t, emailAddress = xxxxxxxxxxx verify error:num=19:self signed certificate in certificate chain verify return:0 139748861212304:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 aler +t bad certificate:s3_pkt.c:1275:SSL alert number 42 139748861212304:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake +failure:s23_lib.c:177: --- Certificate chain 0 s:/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxx/CN=ECOMM-test/emailAddress=xx +xxxxxxxxxxxxx -----BEGIN CERTIFICATE----- DELETED -----END CERTIFICATE----- 1 s:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxx/CN=ECOMM-test/emailAddres +s=xxxxxxxxxxxxx i:/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxxxxxx/CN=ECOMM-test/emailA +ddress=xxxxxxxxxxxxxxxxxx -----BEGIN CERTIFICATE----- DELETED -----END CERTIFICATE----- --- Server certificate subject=/C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com issuer=/C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxxxx/CN=ECOMM-test/emailAdd +ress=xxxxxxxxxxxxxxx --- Acceptable client certificate CA names /C=LV/ST=Latvia/L=Riga/O=xxxxxxxxxxxxx/CN=ECOMM-test/emailAddress=xxxx +xxxxxxxxxxxxxxx /C=LV/O=FDL/CN=lv-rtps-proxy-test.ne.1dc.com --- SSL handshake has read 3646 bytes and written 170 bytes --- New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 53DFFBFBC58875853342EDD1EE387FCE42F0D98DE61F3C24D37FC5 +792C5AC3C2 Session-ID-ctx: Master-Key: DELETED Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1407187961 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate cha +in) --- ted@linux-jp04:~/Work/Projects/FirstData>
Of course I masked out the site operator's name and email address for obvious reasons
Alas, I just noticed a couple errors right at the beginning of the output, but I do not yet know what they mean. I do not think the presence of a self signed certificate in the mix is an issue as the operators of this site established their own CA, and use that to sign both their own server certificates and the client side certificates that their clients are to use when connecting, and, as I said, connection is possible ONLY through a VPN to their site. But, is this going to result in a verification failure (even though I have the root CA certificates for THEIR CA)?
Does this help?
Thanks
Ted
|
|---|