comment on

I am trying to connect with an HTTPS site requiring client certificates for authentication. So what I did was export the certificate from my browser (Netscape 7.1) that allows me to access the site in question. This produces a PKCS12 keybag. After reading the manpage for Crypt::SSLeay I thought I should be able to do this:

#!/usr/local/bin/perl -w
# DEBUGGING SWITCH / LOW LEVEL SSL DIAGNOSTICS
$ENV{HTTPS_DEBUG} = 1;

# DEFAULT SSL VERSION
$ENV{HTTPS_VERSION} = '3';

# CLIENT PKCS12 CERT SUPPORT
$ENV{HTTPS_PKCS12_FILE}     = 'test.p12';
$ENV{HTTPS_PKCS12_PASSWORD} = 'PASSWORD';

use strict;
use WWW::Mechanize;

my $agent = WWW::Mechanize->new( autocheck => 1 );

# Can we access the host?
my $response = $agent->get("https://hostname/secure/area");
print $response->content;
[download]

But this fails:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
SSL_connect:SSL renegotiate ciphers
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:certificate unknown
SSL_connect:failed in SSLv3 read finished A
Error GETing https://hostname/secure/area: read failed: error:14094416
+:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown | error
+:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure at ./tes
+t.pl line 26
[download]

The only explanation I have found for 'certificate unknown' in the spec is not terribly helpful: "Some other (unspecified) issue arose in processing the certificate, rendering it unacceptable." To verify that the certificate was not the problem I took the PKCS12 keybag and made some PEM files like so:

openssl pkcs12 -in test.p12 -out test.crt -clcerts -nokeys
openssl pkcs12 -in test.p12 -out test.key -nodes -nocerts
openssl pkcs12 -in test.p12 -out cacerts.crt -nokeys -cacerts
[download]

Then I tried connecting using the s_client app that comes with OpenSSL:

openssl s_client -cert test.crt -key test.key -CAfile cacerts.crt -con
+nect hostname:443
[download]

And then I tried to GET /secure/area and was successful. Unfortunately, C::S only contains options related to client verification of the server's certificate, there is no way that I can see to pass the equivalent of -CAfile cacerts.crt. I think a patch might be in order, but I don't know where to begin. Help. -- Sean Evans

In reply to Crypt::SSLeay & client certificate authentication by daigidan

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.