Here is something that bears on the problem at hand, but I do not know how to act on it. Check out this link: http://search.cpan.org/~sullr/IO-Socket-SSL-1.997/lib/IO/Socket/SSL.pod. There I read the following:

"Check if we trust the certificate, e.g. make sure its not a forgery. "We believe that a certificate is not a fake, if we either know the certificate already or if we trust the issuer (the CA) and can verify the issuers signature on the certificate. In reality there is often a hierarchy of certificate agencies and we only directly trust the root of this hierarchy. In this case the peer not only sends his own certificate, but also all intermediate certificates. Verification will be done by building a trust path from the trusted root up to the peers certificate and checking in each step if the we can verify the issuers signature. "This step often causes problems, because the client does not know the necessary trusted root certificates. These are usually stored in a system dependent CA store, but often the browsers have their own CA store."

Emphasis added.

Both the server and client side certificates were signed by the same CA (one I created using openssl), and I have the CA's certificate on both machines. The CA's certificate is in the proper directory for apache to use it if it wishes, but how do I tell my client software about it. I have not (yet) found a way to tell LWP's user agent about the CA's (my) certificate,

Might this problem be a client side problem. If so, how do I tell the user agent on my client machine to use my CA's certificate for validating my server's certificate?

Also, do I have to worry about telling servers like nginx or apache to send the whole both the server's certificate and the whole change of intermediate certificates, or do they do that automagically? But that begs the question of how to do that in my client side code? Is that by placing the CA root's certificate on the server and configuring the server to use it when checking the client side certificates? Or do I have to add more code to tell the user agent to send them?

Thanks

Ted

In reply to Re: How do I ensure client side certificates are used in SSL handshaking? by ted.byers
in thread How do I ensure client side certificates are used in SSL handshaking? by ted.byers

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.