mldvx4 has asked for the wisdom of the Perl Monks concerning the following question:

If I set SSL_verify_mode => SSL_VERIFY_PEER then the following script no longer fetches pages from the Gemini host which it points to. However, using SSL_verify_mode => SSL_VERIFY_NONE skips verifying the certificate at all. How can I modify the script so that the certificate is stored the first time it is seen and checked each subsequent connection? In other words, I would like it have it run with "Trust on First Use". 

#!/usr/bin/perl
                                                               
use IO::Socket::SSL;
use strict;
use warnings;

my $cl = IO::Socket::SSL->new(
    PeerHost        => 'gemini.circumlunar.space',
    PeerPort        => 1965,
    SSL_hostname    => 'gemini.circumlunar.space',
    SSL_verify_mode => SSL_VERIFY_NONE,
    )
    or die("Failed to connect: $!, '$SSL_ERROR'\n");

my $url  = "gemini://gemini.circumlunar.space/";

print $cl $url,"\r\n\r\n";

while (my $line = <$cl> ){
    print qq($line);
}

exit(0);

[download]

Replies are listed 'Best First'.
Re: Designating Trust on First Use with IO::Socket::SSL SSL_verify_mode
by Corion (Patriarch) on Feb 05, 2022 at 10:59 UTC

    I think you need to implement that yourself. It doesn't seem "that hard". You can use the SSL_verify_callback callback of IO::Socket::SSL to do the store and verification. You can get at the certificate with Net::SSLeay::PEM_get_string_X509() (according to the documentation) and then compare or store.

[reply]
[d/l]
[select]

Back to Seekers of Perl Wisdom