NET::SSLeay to verify certificates?

perleager has asked for the wisdom of the Perl Monks concerning the following question:

Hey everyone,

I'm working on a paypal script that validates an PayPal transaction using there IPN feature.

Basically in there manual, it says while your posting back your variables to Paypals secure server, https://www.paypal.com/cgi-bin/webscr for validation that you should verify its digital certificate for maximum security.

On there support board or on verisign's homepage, theres nothing about how to actualy verify a certificate.

So after doing additional research, I found NET::SSLeay, which I think can verify a certificate.

Has anyone used this module to verify a certificate??

I looked in the docs, and the closest thing I found to do this job is:

  Net::SSLeay::set_verify(ssl, Net::SSLeay::VERIFY_PEER, 0);
[download]

Am I on the right track? I didn't try the actual code yet because my ppm libraries doesn't find the module, but If I am on the right track, I'll try whatever possible to install this module.

Thanks
Anthony

Comment on NET::SSLeay to verify certificates? Download Code

Replies are listed 'Best First'.
Re: NET::SSLeay to verify certificates? by matija (Priest) on Apr 18, 2004 at 14:16 UTC
There are two things you need to verify: that the certificate's signature is valid (i.e. that what the certificate has to say about itself is true) and that the certificate is saying what you expect it to say. If you only verify that the signature is valid, the black hats could put in any validly signed certificate. As far as I could see, you can do check subject name `Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($server_cert))` and Issuer name: `Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($serv +er_cert))` [download] However, these high-level routines are available only after you've already sent your request. To verify before you send your data, you need to use the lowlevel routines, the `perldoc` suggests you see implementation of `ds_https3()` for ideas on how that works. Verifying that the signature is currect appears much simpler - a matter of setting a single flag, unless you also want to check the revocation lists.	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: NET::SSLeay to verify certificates?
by matija (Priest) on Apr 18, 2004 at 14:16 UTC

If you only verify that the signature is valid, the black hats could put in any validly signed certificate.

As far as I could see, you can do check subject name Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($server_cert)) and Issuer name:

Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($serv
+er_cert))
[download]

However, these high-level routines are available only after you've already sent your request. To verify before you send your data, you need to use the lowlevel routines, the perldoc suggests you see implementation of ds_https3() for ideas on how that works.

Verifying that the signature is currect appears much simpler - a matter of setting a single flag, unless you also want to check the revocation lists.

[reply]
[d/l]
[select]