Examining SSL Certificates of SMTP hosts using Perl

foobar1977 has asked for the wisdom of the Perl Monks concerning the following question:

Hi,

I have a list of SMTP servers running TLS that I need to check certs on. I've been going around in circles trying to find a solution and think I must be missing something.

I think I need to be in Crypt::OpenSSL::X509 since I need to use the issuer, notBefore and notAfter methods its provides but Im struggling with how to extract the certificate from the SMTP server. Im happily connecting via IO::Socket::SSL but the peer_certificate/dump_peer_certificate methods dont dump the entire cert.

I can use the openssl binary and pass the output of that into Crypt::OpenSSL::X509 and do what I need from there but I dont really want to shell out and even if I go down that route there are other hurdles to overcome.

Can anyone advise on the best solution here.

Thanks in advance.

Comment on Examining SSL Certificates of SMTP hosts using Perl

Replies are listed 'Best First'.
Re: Examining SSL Certificates of SMTP hosts using Perl by mr_mischief (Monsignor) on Sep 09, 2008 at 15:42 UTC
I can't tell you the exact solution, but I had a quick look at your problem and I'll make some suggestions where you might want to look deeper. IO::Socket::SSL uses Net::SSLeay as its wrapper around OpenSSL. The POD for the latter says it doesn't have a complete x509 interface and that dump_peer_certificate returns "selected" information. There is a low-level routine in Net::SSLeay called `sslcat` that does more general things, including grabbing the whole certificate. Perhaps using the lower-level Net::SSLeay stuff will get you a certificate you can save to a temp file and specify to Crypt::OpenSSL::X509. I haven't tried it, but that's where I'd start based on the docs for these three modules.	[reply] [d/l]
Re^2: Examining SSL Certificates of SMTP hosts using Perl by Anonymous Monk on Feb 18, 2009 at 13:09 UTC
See the QuickRef in the Net::SSLeay package for more details, but you could get the X509 certificate by smth like this: Net::SSLeay::PEM_get_string_X509( $CLIENT->peer_certificate() ). $CLIENT->peer_certificate() returns integer number which represents a certificate from the cert-store	[reply]
Re: Examining SSL Certificates of SMTP hosts using Perl by Anonymous Monk on Sep 09, 2008 at 16:14 UTC
Expanding mr_mischief's answer, I'd also suggest to take a look to the certificate verification facilities that Net::SSLeay gives you.	[reply]