Inconsistent errors when trying to establish SSL-connection

ddominnik has asked for the wisdom of the Perl Monks concerning the following question:

I'm writing a Perl application to test the REST API of a JIRA server we're using. Somehow I can't seem to be able to establish an SSL connection to the server. I have the following code

use strict;
   use warnings;
   use LWP;
   use JIRA::REST;



my $browser = LWP::UserAgent->new;
$browser->proxy(['http','https'],'http://myproxy:8080');
$browser->agent("Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20
+100101 Firefox/38.0");
  
my %client = ('useragent' => $browser);
my $clientref = \%client;

my $jira = JIRA::REST->new('https://myurl:8443/jira', 'myuser', 'mypas
+s', $clientref);
print $jira->GET("/issue/myissue");
[download]

I had to edit some parts because of confidentiality.
When I try to run this simple script I get the following error message:

Can't connect to myurl:8443 (certificate verify failed)

LWP::Protocol::https::Socket: SSL connect attempt failed error:1409008
+6:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed 
+at /home/myhome/perl5/lib/perl5/LWP/Protocol/http.pm
[download]

The strange thing is, that this error message is not consistent. F.e. just a few minutes ago it gave me this error without editing anything in the script

JIRA::REST Error[500 - Internal Server Error]:
SSL negotiation failed: error:1406D0CB:SSL routines:GET_SERVER_HELLO:p
+eer error no cipher at /home/myhome/perl5/lib/perl5/LWP/Protocol/http
+.pm
[download]

I assume that my script isn't able to fetch the certificate from the server, but how do I edit my script to make it at least connect for now?
I've tried debugging with the analyze-ssl.pl, but it doesnt work either, as the script doesn't accept the syntax of my proxy. I've tried reprogramming it, but without success.

Comment on Inconsistent errors when trying to establish SSL-connection Select or Download Code

Replies are listed 'Best First'.
Re: Inconsistent errors when trying to establish SSL-connection by hippo (Archbishop) on Sep 29, 2016 at 13:51 UTC
`$browser->proxy(['http','https'],'http://myproxy:8080');` You are sending https requests via an http proxy. That strikes me as a Very Bad Idea. Why are you using a proxy in the first place?	[reply] [d/l]
Re^2: Inconsistent errors when trying to establish SSL-connection by noxxi (Pilgrim) on Sep 30, 2016 at 14:51 UTC
It is perfectly normal to proxy HTTPS with a a HTTP proxy. Proxying HTTPS is done by making a CONNECT request to establish a tunnel and the speak the normal TLS inside the tunnel. Thus you have still all the protections offered by TLS. See RFC 2817 section 5 for more details.	[reply]
Re^3: Inconsistent errors when trying to establish SSL-connection by hippo (Archbishop) on Oct 01, 2016 at 09:39 UTC
Thanks for the pointer to RFC 2817, which explains a lot. It does still leave me wondering quite what the purpose is of using a proxy in such a situation. It can't be caching because the proxy cannot read the content and it can't be monitoring for the same reason. Any thoughts?	[reply]
Re^4: Inconsistent errors when trying to establish SSL-connection by noxxi (Pilgrim) on Oct 01, 2016 at 14:26 UTC
Re^2: Inconsistent errors when trying to establish SSL-connection by ddominnik (Novice) on Oct 10, 2016 at 11:06 UTC
The proxy is mandatory to access the Internet or our Intranet, because it enforces data policies in my company. It doesn't serve any caching purpose.	[reply]
Re: Inconsistent errors when trying to establish SSL-connection by noxxi (Pilgrim) on Sep 30, 2016 at 14:47 UTC
Try to run your code with `-MIO::Socket::SSL=debug4` to get more details about the SSL problems. > ...analyze-ssl.pl, but it doesnt work either, as the script doesn't accept the syntax of my proxy. I have no idea what so special is about your proxy since analyze-ssl.pl works with standard HTTP proxy if you use the `--starttls http_proxy` option.	[reply]