Re^2: LWP::UserAgent Client certificate authentication

I'm sorry, but I don't understand why everyone is shouting SSCCE immediately. Also hippo's example doesn't show anything you already knew: That when you try to use SSLv3 the program fails.

The reason is this: I have never yet seen the error to which my anonymous brother alluded by "I get error that this version is not supported", presuming he means this version of SSL. Given that his code is incomplete and error message inexact, I cannot tell either by inspection nor by running it what the actual error message is nor what throws it. I've given a counterexample to show that I can quite happily run some code requiring SSLv3 without throwing an error resembling that hinted at in the OP.

Note additionally that my counterexample program doesn't fail. It correctly reports that the site tested forbids an SSLv3 connection (quite reasonably, I think we can all agree). It would be instructive to know what the OP sees when running that same code.

It's a good deduction on your part (++) that the OP's underlying openssl libs may not allow for SSLv3. Hopefully our anonymous poster will return and confirm it.

Comment on Re^2: LWP::UserAgent Client certificate authentication

Replies are listed 'Best First'.
Re^3: LWP::UserAgent Client certificate authentication by Veltro (Hermit) on Jun 28, 2018 at 14:15 UTC
Ok, I can understand that also. And even though I deduced the problem surely my answer can also not be the correct one to this problem, One thing that I noticed through your last reply when you said: "It correctly reports that the site tested forbids an SSLv3 connection" Are you sure that you have a build with SSLv3 enabled? It surprised me a little bit but when I ran your test I didn't get the 'not supported' message either and I know I don't have SSLv3 enabled. So I turned on extra debugging (`use IO::Socket::SSL qw(debug4);`) and it is only then that I get to see the not supported message. So now I am wondering if in your case: Was it the site that rejected it or your client? Without debugging `IO::Socket::SSL version 2.056 SSL connection with SSLv3 failed SSL connection with TLSv1_2 set up` [download] After turnig on debugging: `IO::Socket::SSL version 2.056 DEBUG: .../IO/Socket/SSL.pm:641: global error: SSL Version SSLv3 not s +upported SSL connection with SSLv3 failed ... SSL connection with TLSv1_2 set up (program exits normally)` [download] edit: Result with debug looked like fatal exception (as hippo commented below). I added the last line now for clarification. See ... above	[reply] [d/l] [select]
Re^4: LWP::UserAgent Client certificate authentication by hippo (Archbishop) on Jun 28, 2018 at 14:40 UTC
From your reported output it appears that just implementing the debugging causes a fatal exception to be thrown - am I reading that right? Seems very odd. Regardless, I do not see anything like the same debugging output that you do: IO::Socket::SSL version 2.012 DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 0 DEBUG: .../IO/Socket/SSL.pm:677: connection failed - connect returned +0 DEBUG: .../IO/Socket/SSL.pm:1753: SSL connect attempt failed because o +f handshake problems DEBUG: .../IO/Socket/SSL.pm:1758: SSL connect attempt failed because o +f handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv +3 alert handshake failure DEBUG: .../IO/Socket/SSL.pm:1742: IO::Socket::IP configuration failed DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 SSL connection with SSLv3 failed DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:2467: did not get stapled OCSP response DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18472720 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19090528 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19087024 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1532: scheme=default cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1542: identity=perlmonks.pairsite.com cn=* +.pairsite.com alt=2 *.pairsite.com 2 pairsite.com DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake done SSL connection with TLSv1_2 set up DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 [download] From this it very much does appear that my installation is indeed attempting to connect to the site over SSLv3 without client-side error and that it is (as expected) the server which is rejecting this protocol. HTH.	[reply] [d/l]