in reply to Re^6: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
in thread Can Log4Perl integrated with LWP log SSL/TLS handshaking?

> I finally did solve the problem with connecting to that server using openssl s_client...
How did you solve the problem with s_client? Which options did you use for IO::Socket::SSL when you tried to make it work the same way your s_client setup works?
  • Comment on Re^7: Can Log4Perl integrated with LWP log SSL/TLS handshaking?

Replies are listed 'Best First'.
Re^8: Can Log4Perl integrated with LWP log SSL/TLS handshaking?
by ted.byers (Monk) on Aug 06, 2014 at 19:19 UTC

    I got that working by adding the fields for the CA certificate and path, as well as the client sider crtificate and client key.

    In perl, I used SSL_ca_file, SSL_ca_path, , SSL_cert_file, SSL_key_file, with the appropriate values, passed to UserAgent's function ssl_opts.

    I noticed, in Wireshark, that there are a couple differences between the handshaking between workstation and client.
    1) Frame 4, there was more data sent from my workstation to the server: 371 (successful connection) vs 201 (unsuccessful)
    2) Frame 10, there was a lot more data sent from the server to the client when the hand shaking was successful: 949 (successful) vs 339 (unsuccessful).
    After that, there are a couple acknowledgements, but at that point the unsuccessful died a nasty death, returning the error that the function GET_SERVER_CERTIFICATE failed, while the successful connect proceeded to have my workstation send the client certificate to the server.

    I wonder if the difference in data in frame #4 is responsible for the server not sending the certificate. But, if that is the case, what if the Perl module doing differently from what openssl is doing?

    Thanks

    Ted

[reply]
      It's hard to get just from the number of bytes and the frame number what the difference is. IO::Socket::SSL announces less ciphers then s_client to work around bugs in older F5 appliances, which might explain the difference in the packets from clint to server. And the server sends more data on successful connection because it sends the certificate. Another difference might be that IO::Socket::SSL tries SNI whereas s_client not. You might switch off SNI with setting SSL_hostname to ''. If this does not help it might be better to contact me directly at sullr AT cpan.org and send me the full packet dump for successful and unsuccessful connection.
[reply]

        Thanks!

        How can I tell IO::Socket::SSL to use more ciphers; those used by openssl s_client? AND, is it a good idea to do so? That is, does doing so introduce vulnerabilities when connecting to Tomcat? (I don't even know what an F5 appliance is.) Or does it only use the best ciphers available to it? Or does it even matter when the client and server are going to negotiate the cipher to use anyway?

        I did turn off SNI, but it made no difference except to get rid of the reference to SNI in the output.

        I'll send my Wireshark logs directly. I assume that's what you're talking about in your reference to a full packet dump. I just started using Wireshark last Friday, and am still having difficulty making sense of it, or even how to have it actually show me the data (I have all the keys and certificates that would be used in the SSL handshaking, but I don't know if I need to tell Wireshark about them, or how to do so if so).

        Thanks

        Ted

[reply]

In Section Seekers of Perl Wisdom