Re: LWP::UserAgent Client certificate authentication

I'm sorry, but I don't understand why everyone is shouting SSCCE immediately. Also hippo's example doesn't show anything you already knew: That when you try to use SSLv3 the program fails. I think your question 1 is a perfectly sound question. If I read a bit between your lines, not knowing what versions are involved I think I can understand what you are talking about. The question is that according to the documentation IO::Socket::SSL supports SSLv3? This is mentioned in the latest documentation so let's start from there.

What could have been answered here is that the documentation for IO::Socket::SSL is actually correct. The library does support SSLv3! However, here is the trick: IO::Socket::SSL depends on Net::SSLeay and that module relies on OpenSSL. The only thing the documentation of Net::SSLeay (v1.85) mentions is: "On some systems, OpenSSL may be compiled without support for SSLv2. If this is the case, Net::SSLeay will warn if ssl_version has been set to 2". But as far as I know, OpenSSL is no longer default compiled with support for SSLv3 either for Perl (and for very good reasons!). And so it seems that here there is some missing information in the documents regards disabling SSLv3 but maybe it has been mentioned in release notes. If you examine SSLeay.xs (inside the download package) you will see that in some point of time OpenSSL compiler options have been added to make it possible to disable SSLv3:

#ifndef OPENSSL_NO_SSL3
SSL_CTX *
SSL_CTX_v3_new()
     CODE:
     RETVAL = SSL_CTX_new (SSLv3_method());
     OUTPUT:
     RETVAL

#endif
[download]

In the following codeblock from IO::Socket::SSL you can see that the result is "SSL Version SSLv3 not supported" because Net::SSLeay cannot CTX_v3_new. I tried to find information about this method check in IO::Socket::SSL's documentation but could not find it:

    my $ctx_new_sub =  UNIVERSAL::can( 'Net::SSLeay',
    $ver eq 'SSLv2'   ? 'CTX_v2_new' :
    $ver eq 'SSLv3'   ? 'CTX_v3_new' :
    $ver eq 'TLSv1'   ? 'CTX_tlsv1_new' :
    $ver eq 'TLSv1_1' ? 'CTX_tlsv1_1_new' :
    $ver eq 'TLSv1_2' ? 'CTX_tlsv1_2_new' :
    'CTX_new'
    ) or return IO::Socket::SSL->_internal_error("SSL Version $ver not
+ supported",9);
[download]

I can not help you regards question 2 since I don't know much about that.

Comment on Re: LWP::UserAgent Client certificate authentication Select or Download Code

Replies are listed 'Best First'.
Re^2: LWP::UserAgent Client certificate authentication by hippo (Archbishop) on Jun 28, 2018 at 13:35 UTC
I'm sorry, but I don't understand why everyone is shouting SSCCE immediately. Also hippo's example doesn't show anything you already knew: That when you try to use SSLv3 the program fails. The reason is this: I have never yet seen the error to which my anonymous brother alluded by "I get error that this version is not supported", presuming he means this version of SSL. Given that his code is incomplete and error message inexact, I cannot tell either by inspection nor by running it what the actual error message is nor what throws it. I've given a counterexample to show that I can quite happily run some code requiring SSLv3 without throwing an error resembling that hinted at in the OP. Note additionally that my counterexample program doesn't fail. It correctly reports that the site tested forbids an SSLv3 connection (quite reasonably, I think we can all agree). It would be instructive to know what the OP sees when running that same code. It's a good deduction on your part (++) that the OP's underlying openssl libs may not allow for SSLv3. Hopefully our anonymous poster will return and confirm it.	[reply]
Re^3: LWP::UserAgent Client certificate authentication by Veltro (Hermit) on Jun 28, 2018 at 14:15 UTC
Ok, I can understand that also. And even though I deduced the problem surely my answer can also not be the correct one to this problem, One thing that I noticed through your last reply when you said: "It correctly reports that the site tested forbids an SSLv3 connection" Are you sure that you have a build with SSLv3 enabled? It surprised me a little bit but when I ran your test I didn't get the 'not supported' message either and I know I don't have SSLv3 enabled. So I turned on extra debugging (`use IO::Socket::SSL qw(debug4);`) and it is only then that I get to see the not supported message. So now I am wondering if in your case: Was it the site that rejected it or your client? Without debugging `IO::Socket::SSL version 2.056 SSL connection with SSLv3 failed SSL connection with TLSv1_2 set up` [download] After turnig on debugging: `IO::Socket::SSL version 2.056 DEBUG: .../IO/Socket/SSL.pm:641: global error: SSL Version SSLv3 not s +upported SSL connection with SSLv3 failed ... SSL connection with TLSv1_2 set up (program exits normally)` [download] edit: Result with debug looked like fatal exception (as hippo commented below). I added the last line now for clarification. See ... above	[reply] [d/l] [select]
Re^4: LWP::UserAgent Client certificate authentication by hippo (Archbishop) on Jun 28, 2018 at 14:40 UTC
From your reported output it appears that just implementing the debugging causes a fatal exception to be thrown - am I reading that right? Seems very odd. Regardless, I do not see anything like the same debugging output that you do: IO::Socket::SSL version 2.012 DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 0 DEBUG: .../IO/Socket/SSL.pm:677: connection failed - connect returned +0 DEBUG: .../IO/Socket/SSL.pm:1753: SSL connect attempt failed because o +f handshake problems DEBUG: .../IO/Socket/SSL.pm:1758: SSL connect attempt failed because o +f handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv +3 alert handshake failure DEBUG: .../IO/Socket/SSL.pm:1742: IO::Socket::IP configuration failed DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 SSL connection with SSLv3 failed DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:2467: did not get stapled OCSP response DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18472720 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19090528 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19087024 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1532: scheme=default cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1542: identity=perlmonks.pairsite.com cn=* +.pairsite.com alt=2 *.pairsite.com 2 pairsite.com DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake done SSL connection with TLSv1_2 set up DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 [download] From this it very much does appear that my installation is indeed attempting to connect to the site over SSLv3 without client-side error and that it is (as expected) the server which is rejecting this protocol. HTH.	[reply] [d/l]