Re^3: LWP::UserAgent Client certificate authentication

Ok, I can understand that also. And even though I deduced the problem surely my answer can also not be the correct one to this problem,

One thing that I noticed through your last reply when you said:

"It correctly reports that the site tested forbids an SSLv3 connection"

Are you sure that you have a build with SSLv3 enabled? It surprised me a little bit but when I ran your test I didn't get the 'not supported' message either and I know I don't have SSLv3 enabled.

So I turned on extra debugging (use IO::Socket::SSL qw(debug4);) and it is only then that I get to see the not supported message. So now I am wondering if in your case: Was it the site that rejected it or your client?

Without debugging

IO::Socket::SSL version 2.056
SSL connection with SSLv3 failed
SSL connection with TLSv1_2 set up
[download]

After turnig on debugging:

IO::Socket::SSL version 2.056
DEBUG: .../IO/Socket/SSL.pm:641: global error: SSL Version SSLv3 not s
+upported
SSL connection with SSLv3 failed
...
SSL connection with TLSv1_2 set up
(program exits normally)
[download]

edit: Result with debug looked like fatal exception (as hippo commented below). I added the last line now for clarification. See ... above

Comment on Re^3: LWP::UserAgent Client certificate authentication Select or Download Code

Replies are listed 'Best First'.
Re^4: LWP::UserAgent Client certificate authentication by hippo (Archbishop) on Jun 28, 2018 at 14:40 UTC
From your reported output it appears that just implementing the debugging causes a fatal exception to be thrown - am I reading that right? Seems very odd. Regardless, I do not see anything like the same debugging output that you do: IO::Socket::SSL version 2.012 DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 0 DEBUG: .../IO/Socket/SSL.pm:677: connection failed - connect returned +0 DEBUG: .../IO/Socket/SSL.pm:1753: SSL connect attempt failed because o +f handshake problems DEBUG: .../IO/Socket/SSL.pm:1758: SSL connect attempt failed because o +f handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv +3 alert handshake failure DEBUG: .../IO/Socket/SSL.pm:1742: IO::Socket::IP configuration failed DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 SSL connection with SSLv3 failed DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128 DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:506: socket connected DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai +rsite.com DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:2467: did not get stapled OCSP response DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18472720 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19090528 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19087024 DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1532: scheme=default cert=18989936 DEBUG: .../IO/Socket/SSL.pm:1542: identity=perlmonks.pairsite.com cn=* +.pairsite.com alt=2 *.pairsite.com 2 pairsite.com DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake done SSL connection with TLSv1_2 set up DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128 DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128 [download] From this it very much does appear that my installation is indeed attempting to connect to the site over SSLv3 without client-side error and that it is (as expected) the server which is rejecting this protocol. HTH.	[reply] [d/l]

Replies are listed 'Best First'.

Re^4: LWP::UserAgent Client certificate authentication
by hippo (Archbishop) on Jun 28, 2018 at 14:40 UTC

From your reported output it appears that just implementing the debugging causes a fatal exception to be thrown - am I reading that right? Seems very odd.

Regardless, I do not see anything like the same debugging output that you do:

IO::Socket::SSL version 2.012
DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128
DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:506: socket connected
DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai
+rsite.com
DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 0
DEBUG: .../IO/Socket/SSL.pm:677: connection failed - connect returned 
+0
DEBUG: .../IO/Socket/SSL.pm:1753: SSL connect attempt failed because o
+f handshake problems

DEBUG: .../IO/Socket/SSL.pm:1758: SSL connect attempt failed because o
+f handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv
+3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:1742: IO::Socket::IP configuration failed
DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128
DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback
DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128
SSL connection with SSLv3 failed
DEBUG: .../IO/Socket/SSL.pm:2564: new ctx 11004128
DEBUG: .../IO/Socket/SSL.pm:504: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:506: socket connected
DEBUG: .../IO/Socket/SSL.pm:528: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:561: using SNI with hostname perlmonks.pai
+rsite.com
DEBUG: .../IO/Socket/SSL.pm:596: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:2467: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18472720
DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19090528
DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=19087024
DEBUG: .../IO/Socket/SSL.pm:2420: ok=1 cert=18989936
DEBUG: .../IO/Socket/SSL.pm:1532: scheme=default cert=18989936
DEBUG: .../IO/Socket/SSL.pm:1542: identity=perlmonks.pairsite.com cn=*
+.pairsite.com alt=2 *.pairsite.com 2 pairsite.com
DEBUG: .../IO/Socket/SSL.pm:629: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake done
SSL connection with TLSv1_2 set up
DEBUG: .../IO/Socket/SSL.pm:2597: free ctx 11004128 open=11004128
DEBUG: .../IO/Socket/SSL.pm:2602: free ctx 11004128 callback
DEBUG: .../IO/Socket/SSL.pm:2609: OK free ctx 11004128
[download]

From this it very much does appear that my installation is indeed attempting to connect to the site over SSLv3 without client-side error and that it is (as expected) the server which is rejecting this protocol. HTH.

[reply]
[d/l]