in reply to Issue with LWP loading client certificate

DER format is fine for certificates. But then, many things can go wrong with SSL. To find out what happens to your certificate switch on SSL debugging by setting $IO::Socket::SSL::DEBUG=2 in your code - see IO::Socket::SSL. It is a bit verbose, but should clearly indicate whether your client certificate has been used for the request.

  • Comment on Re: Issue with LWP loading client certificate

Replies are listed 'Best First'.
Re^2: Issue with LWP loading client certificate
by ffrost (Acolyte) on Jun 18, 2021 at 12:40 UTC

    Tried this one and it's not verbose enough to verify that the certificate is loaded/sent. This was at the debug set to 4. 

    DEBUG: .../IO/Socket/SSL.pm:2649: new ctx 47286544
DEBUG: .../IO/Socket/SSL.pm:562: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:564: socket connected
DEBUG: .../IO/Socket/SSL.pm:586: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:619: using SNI with hostname OMIT
DEBUG: .../IO/Socket/SSL.pm:654: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:673: set socket to non-blocking to enforce
+ timeout=180
DEBUG: .../IO/Socket/SSL.pm:686: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:689: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:699: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:709: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:729: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:686: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2552: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=52520624
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=52517456
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=53422432
DEBUG: .../IO/Socket/SSL.pm:1594: scheme=www cert=53422432
DEBUG: .../IO/Socket/SSL.pm:1604: identity=OMIT cn=OMIT alt=2 OMIT
DEBUG: .../IO/Socket/SSL.pm:689: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:699: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:709: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:729: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:686: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:689: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:744: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:2552: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=52520624
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=52517456
DEBUG: .../IO/Socket/SSL.pm:2505: ok=1 cert=53426480
DEBUG: .../IO/Socket/SSL.pm:1594: scheme=www cert=53426480
DEBUG: .../IO/Socket/SSL.pm:1604: identity=OMIT cn=OMIT alt=2 OMIT
DEBUG: .../IO/Socket/SSL.pm:2682: free ctx 47286544 open=47286544
DEBUG: .../IO/Socket/SSL.pm:2687: free ctx 47286544 callback
DEBUG: .../IO/Socket/SSL.pm:2694: OK free ctx 47286544
Error: 403 Forbidden

    [download]
[reply]
[d/l]

      Sorry - I thought there would be more output. Probably I misremembered from tests using OpenSSL on the command line, which is a bit cumbersome with Windows (but works fine with Cygwin).

      So there are two more suggestions:

      • Fire your certificate against an online test service, for example https://certauth.idrix.fr/, by just changing the endpoint URL in your code. This service requires client certificates and responds by providing a technical description of the certificate you provided.
      • Import the client certificate and the corresponding CA certificate into a browser and then read the page.

      Maybe one of those gives more insight?

[reply]

In Section Seekers of Perl Wisdom