Update: the winning combination was
SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
Thanks to all who replied and offered the correct answer.
Hi,I'm a beginner perl programmer. I need a very simple "daemon" that when queried over tcp would return a very simple string. It needs to use SSL to verify the client and refuse to send the string, or anything else for that matter, of the client does not properly authenticate itself.
I've cobbled together a very simple script:
#!/usr/bin/perl use strict; use IO::Socket::SSL qw(debug0); use Sys::Hostname; use Socket; my $ip_address = inet_ntoa((gethostbyname(hostname))[4]); my ( $output, $client ); $output = "ok"; my $server = IO::Socket::SSL->new( LocalAddr => $ip_address, LocalPort => q[6666], Listen => q[10], SSL_verify_mode => SSL_VERIFY_FAIL_IF_NO_PEER_CERT, SSL_cert_file => q[/etc/httpd/certs/crt.pem], SSL_key_file => q[/etc/httpd/certs/key.pem], SSL_ca_file => q[/etc/httpd/certs/ca-chain.crt.pem], ) or die; while(1) { # accept client my $status = $client = $server->accept; if ($status) { print $client $output; shutdown($client,1); } }
And this is a simple client script:
#!/usr/bin/perl use strict; use IO::Socket::SSL qw(debug0); my $client = IO::Socket::SSL->new( # where to connect PeerHost => q[192.168.0.1], PeerPort => q[6666], SSL_verify_mode => SSL_VERIFY_PEER, SSL_cert_file => q[./client.crt.pem], ) or die "failed connect or ssl handshake: $!,$SSL_ERROR"; # receive string over SSL connection my $string = <$client>; print "Output = $string\n";
This works as expected. Opening the server in chrome and authentication with the client certificate also works.
However, the folowing also works even though it shouldn't:
wget -q --no-check-cert https://192.168.0.1:6666 -O -
It shouldn't work because I'm not supplying the client certificate.
How can I force IO::Socket::SSL refuse to send the string without a client certificate?
Thanks, IvanK.| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |