Hi,
I have a small perl scripts which retrieves data from a a webserver running in my own network. The server uses https with a self signed certificate.
I'm currently using LWP::UserAgent with "ssl_opts('verify_hostname' => 0) which works but is insecure.
Since I'm only making connections to this single server I am able to hardcode information about its certificate in the script. From what I've read I should be able to supply the certificate using the "SSL_ca_file" option.
I'm using an export of the certificate made by firefox which I stored in the same directory as the script as "cert.pem".
The code is given below:
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
use Data::Dumper;
use IO::Socket::SSL qw(debug3);
my $server="192.168.100.222";
my $port="443";
my $cert = "cert.pem"; #using relative or absolute paths doesn't make
+a difference
my $ua = LWP::UserAgent->new();
$ua->ssl_opts('SSL_ca_file' => $cert); #doesn't work
#$ua->ssl_opts('verify_hostname' => 0); #works
my $response= $ua->get("https://$server:$port/");
print $response->as_string;
The connection fails with the following debug output (stripped certificate identity)
DEBUG: .../IO/Socket/SSL.pm:1653: new ctx 39194656
DEBUG: .../IO/Socket/SSL.pm:363: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:365: socket connected
DEBUG: .../IO/Socket/SSL.pm:383: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:433: set socket to non-blocking to enforce
+ timeout=180
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=38910576
DEBUG: .../IO/Socket/SSL.pm:1201: scheme=www cert=38910576
DEBUG: .../IO/Socket/SSL.pm:1210: identity=192.168.100.222 cn=________
+____ alt=
DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unkn
+own error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:cer
+tificate verify failed
DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt
+failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER
+_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::IP configuration failed
+error:00000000:lib(0):func(0):reason(0)
DEBUG: .../IO/Socket/SSL.pm:1690: free ctx 39194656 open=39194656
DEBUG: .../IO/Socket/SSL.pm:1695: free ctx 39194656 callback
DEBUG: .../IO/Socket/SSL.pm:1698: OK free ctx 39194656
500 Can't connect to 192.168.100.222:443
Content-Type: text/plain
Client-Date: Tue, 06 Jan 2015 14:53:10 GMT
Client-Warning: Internal response
Can't connect to 192.168.100.222:443
If someone could tell me what I'm doing wrong or if there is a different way to securely connect to a server using a self-signed certificate it would be highly appreciated!
OS: Debian Wheezy
Perl 5.14.2
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.