Re: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump )

Replies are listed 'Best First'.
Re^2: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Anonymous Monk on Jan 07, 2015 at 11:44 UTC
There was indeed a mismatch in the hostnames. I changed the hostname of the server and restarted apache. This however did not effect the error nor the debug information shown. I tried connecting via openssl s_client to get some more information but I didn't really see anything strange. It mentioned that the cert was self-signed but didn't complain, typing "GET / HTTP/1.0" gave me the page just as going to it in a browser does. The relevant output of "openssl s_client -connect 192.168.100.222:443" is given below CONNECTED(00000003) depth=0 C = NL, ST = Some-State, O = _______, CN = _____________, emai +lAddress = _______________ verify error:num=18:self signed certificate verify return:1 depth=0 C = NL, ST = Some-State, O = _______, CN = _____________, emai +lAddress = _______________ verify return:1 --- Certificate chain 0 s:/C=NL/ST=Some-State/O=_______/CN=_____________/emailAddress=_____ +__________ i:/C=NL/ST=Some-State/O=_______/CN=_____________/emailAddress=_____ +__________ --- Server certificate -----BEGIN CERTIFICATE----- . .(Same cert as the cert.pem supplied to the perl code) . -----END CERTIFICATE----- subject=/C=NL/ST=Some-State/O=______/CN=_____________/emailAddress=___ +____________ issuer=/C=NL/ST=Some-State/O=______/CN=_____________/emailAddress=____ +___________ --- No client certificate CA names sent --- SSL handshake has read 1820 bytes and written 498 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : DHE-RSA-AES256-GCM-SHA384 Session-ID: 7E2DD78B639825C10C28C8F56AF56100E4CB67155BB1348EB7C32E +10F02C2066 Session-ID-ctx: Master-Key: 4D6A8EA327F98D1DF703D299CA29CEA5776A5FE7DB4FC32F4D5D0A +DEE58FCAB7D24560107E5ECF0DBE12AEE1A8900321 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a8 71 f5 e4 bd f7 89 bf-cf 9d 4c d8 38 7e 0c 76 .q....... +.L.8~.v 0010 - 54 02 44 c3 02 03 d0 3f-74 05 3f db 16 01 26 1f T.D....?t +.?...&. 0020 - 05 da 8e 34 d7 a5 20 a8-9d 81 69 6c 74 c7 eb 26 ...4.. .. +.ilt..& 0030 - 38 4d b9 fa 2f 59 8b 86-c0 cb b9 f2 72 26 e6 96 8M../Y... +...r&.. 0040 - 67 7c ca 19 6d 28 29 68-19 8b 3b d3 3d de e3 22 g\|..m()h. +.;.=.." 0050 - 10 88 0b 47 39 f5 20 96-4e a9 29 b2 78 97 a7 be ...G9. .N +.).x... 0060 - f9 d2 88 95 17 65 21 6e-f4 b5 80 ec 67 c4 ae af .....e!n. +...g... 0070 - c1 06 a8 03 21 54 28 5a-bb 9c 41 12 b3 81 27 73 ....!T(Z. +.A...'s 0080 - 59 86 3f ec 9d 9b 57 06-8d 59 bb 5e fc f2 4b 24 Y.?...W.. +Y.^..K$ 0090 - f7 46 37 64 82 8c 52 46-d1 ee 82 9b c7 c4 0b 12 .F7d..RF. +....... 00a0 - 35 cf 7e 89 3f ad cd 97-da d1 e2 ee 71 03 5c 50 5.~.?.... +...q.\P 00b0 - d2 60 59 1e ad f1 71 de-a4 7b 25 bf 45 0a 36 1a .`Y...q.. +{%.E.6. Start Time: 1420627933 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- GET / HTTP/1.0 HTTP/1.1 200 OK Date: Wed, 07 Jan 2015 10:52:14 GMT Server: Apache/2.2.22 (Debian) Last-Modified: Tue, 09 Jul 2013 11:04:40 GMT ETag: "2069e-b1-4e11220a261a8" Accept-Ranges: bytes Content-Length: 177 Vary: Accept-Encoding Connection: close Content-Type: text/html <html><body><h1>It works!</h1> <p>This is the default web page for this server.</p> <p>The web server software is running but no content has been added, y +et.</p> </body></html> closed [download] Maybe I should explicitly tell openssl s_client to use the certificate so its behavior is more similar to the perl code, but I couldn't find out how to do so..	[reply] [d/l]
Re^3: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Anonymous Monk on Jan 07, 2015 at 11:55 UTC
Hmm... https://metacpan.org/pod/IO::Socket::SSL#Common-Problems-with-SSL says Also, util/analyze-ssl.pl in the distribution might be a helpful tool when debugging SSL problems, as do the openssl command line tool and a check with a different SSL implementation (e.g. a web browser). So I'd try that next :)	[reply]
Re^4: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Anonymous Monk on Jan 07, 2015 at 12:46 UTC
I read that page which gave me the idea to enable debugging. It all works fine with a browser, the openssl commandline tool and the perl script with "verify_hostname=0" the different methods mention that the certificate is self-signed but the ssl connection is established just fine. To me this sounds like the problem is restricted purely to the certificate verification and not to say setting up the ssl encryption. I would think that supplying the certificate to LWP and telling it to accept that certificate would be enough to make it work without turning the verification of.... As for the "util/analyze-ssl.pl", I don't know where to find that script. What do they mean by "in the distribution", which distribution?	[reply]
Re^5: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Corion (Patriarch) on Jan 07, 2015 at 13:30 UTC
Re^6: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Anonymous Monk on Jan 07, 2015 at 14:30 UTC
Some notes below your chosen depth have not been shown here
Re^5: HTTPS connection with LWP and self-signed certificate ( openssl/ssldump ) by Anonymous Monk on Jan 07, 2015 at 23:39 UTC