Using SSL with fixed public key

szabgab has asked for the wisdom of the Perl Monks concerning the following question:

I need to write a script that builds up an SSL connection to a server using a public key received by other means and not directly from the server. If I am not mistaken IO::Socket::SSL in the following code expects the private key of the client and not the public key of the server.

$socket = IO::Socket::SSL->new (
   PeerAddr   => $ip,
   PeerPort   => $port,
   Proto      => 'tcp',
   SSL_version   => 'SSLv3',
   SSL_use_cert  =>  1,
   SSL_key_file  => 'client-key.pem',
   SSL_cert_file => 'client-cert.pem',
);
[download]

Is there a way to supply the public key instead of receiving it from the server after some hand shaking?

Update

The solution is simple. After reading up more on SSL I had to convince my bosses that what they want is not that server does not send the public key, neither to put the private key of the server on the client as well (yes, this too came up) but to make sure the client will check the certificate. Once this was done the code is simple:

my $socket = IO::Socket::SSL->new (
    PeerAddr      => $ip, 
    PeerPort      => $port,
    SSL_ca_file => $cert_file,

    Proto         => 'tcp',
    SSL_version   => 'SSLv3',
    
    SSL_verify_mode => 1,
);
print $socket ? "OK\n" : "FAILED\n";
[download]

Where the $cert_file is the selfsigned certificate. The only minor issue I faced after this is to get the cert file of the server I was actually talking to (and not that of the desktop of the developer...) but this is really only a minor issue.

Comment on Using SSL with fixed public key Select or Download Code

Replies are listed 'Best First'.
Re: Using SSL with fixed public key by idsfa (Vicar) on Apr 30, 2006 at 15:47 UTC
If you already have a copy of the server cert and the CA chain that signed it (public keys all), you simply need to `verify` on the client: `$socket = IO::Socket::SSL->new ( PeerAddr => $ip, PeerPort => $port, Proto => 'tcp', SSL_version => 'SSLv3', SSL_verify_mode => 0x02 );` [download] The above will fail if the client does not already have a copy of the server's public key in whatever directory your `openssl.cnf` file says they should reside. If you need to do additional verifications on your own, use SSL_verify_callback to specify your own additional code. If you were looking for some way of setting up a server without having it even send a public key, you're no longer talking SSL. Consider the Crypt:: modules in that case ... Updated: It would have been polite for you to mention that your update occurred after I had posted this ... The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon	[reply] [d/l] [select]

Replies are listed 'Best First'.

Re: Using SSL with fixed public key
by idsfa (Vicar) on Apr 30, 2006 at 15:47 UTC

If you already have a copy of the server cert and the CA chain that signed it (public keys all), you simply need to verify on the client:

$socket = IO::Socket::SSL->new (
   PeerAddr   => $ip,
   PeerPort   => $port,
   Proto      => 'tcp',
   SSL_version   => 'SSLv3',
   SSL_verify_mode => 0x02
);
[download]

The above will fail if the client does not already have a copy of the server's public key in whatever directory your openssl.cnf file says they should reside. If you need to do additional verifications on your own, use SSL_verify_callback to specify your own additional code.

If you were looking for some way of setting up a server without having it even send a public key, you're no longer talking SSL. Consider the Crypt:: modules in that case ...

Updated: It would have been polite for you to mention that your update occurred after I had posted this ...

The intelligent reader will judge for himself. Without examining the facts fully and fairly, there is no way of knowing whether vox populi is really vox dei, or merely vox asinorum. — Cyrus H. Gordon

[reply]
[d/l]
[select]