use Crypt::SSLeay 0.57;
use Net::SSL 2.84;
print "Net::SSL $Net::SSL::VERSION\n";
print "Crypt::SSLeay  $Crypt::SSLeay::VERSION\n";
[download]

print $Net::HTTPS::SSL_SOCKET_CLASS;
[download]

Demand up to date versions of modules like shown above. And don't be afraid to dig through the source till you figure it out :)

3) Also, those notes make reference to "$ENV{HTTPS_VERSION}".... As this is a web app, isn't the $ENV variable filled with values associated with the connection between the web app client and our server? The connection we're worried about is between our server and the 3rd party service.

%ENV is filled with lots of stuff, and AFAIK, no webserver sets $ENV{HTTPS_VERSION}, which is probably why it was chosen by Crypt::SSLeay

Heres one way to check

#!/usr/bin/perl -- 

use strict;
use warnings;

use WWW::Mechanize 1.54;
use LWP 5.823;

use Crypt::SSLeay 0.57;
use Net::SSL 2.84;



use LWP::Protocol::https;
sub LWP::Protocol::https::_get_sock_info
{
    package LWP::Protocol::https;
    my $self = shift;
    $self->SUPER::_get_sock_info(@_);
    my($res, $sock) = @_;
    $res->header("Client-SSL-Cipher" => $sock->get_cipher);
    my $cert = $sock->get_peer_certificate;
    if ($cert) {
    $res->header("Client-SSL-Cert-Subject" => $cert->subject_name);
    $res->header("Client-SSL-Cert-Issuer" => $cert->issuer_name);
    $res->header("Client-SSL-VERSION" => *$sock->{ssl_version}); #ding
+dong
    }
    if(! eval { $sock->get_peer_verify }) {
       $res->header("Client-SSL-Warning" => "Peer certificate not veri
+fied");
    }
}

use LWP::ConnCache;

$Net::SSLeay::ssl_version = 10; # Insist on TLSv1
$Net::SSLeay::ssl_version = 3;  # Insist on SSLv3


my $ua = WWW::Mechanize->new(); # keep_alive => 1
$ua->conn_cache(LWP::ConnCache->new);

my $uri = URI->new("https://www.modsecurity.org/");
$ua->get( $uri, 'host' => $uri->host,
'Accept' => 'text/html,application/xhtml+xml,application/xml',
);


print "
######################################################################
+########

WWW::Mechanize $WWW::Mechanize::VERSION
LWP $LWP::VERSION
Crypt::SSLeay $Crypt::SSLeay::VERSION;

Net::HTTPS::SSL_SOCKET_CLASS = $Net::HTTPS::SSL_SOCKET_CLASS
";

for my $con( $ua->conn_cache->get_connections ){
#    LWP::Protocol::https::Socket;  @ISA = qw(Net::HTTPS LWP::Protocol
+::http::SocketMethods);
print "
######################################################################
+########
";

    print "$con $_ = ${*$con}{$_}\n" for grep /ssl/i, keys %{ *$con };
};

print "\n",'#'x66,"\n", $ua->response->headers->as_string,"\n",'#'x66,
+"\n";


#print Data::Dumper->new([$ua])->Indent(1)->Dump();use Data::Dumper;

__END__
Subroutine LWP::Protocol::https::_get_sock_info redefined at lwp-ssl-v
+ersion.pl line 16.

######################################################################
+########

WWW::Mechanize 1.54
LWP 5.823
Crypt::SSLeay 0.57;

Net::HTTPS::SSL_SOCKET_CLASS = Net::SSL

######################################################################
+########
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ssl = Crypt::SSLeay::
+Conn=SCALAR(0x215afc0)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_addr = www.modse
+curity.org
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_port = 443
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_ctx = Crypt::SSLeay::
+CTX=SCALAR(0x215a8f4)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_arg = HASH(0x1fa1238)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_debug = 0
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_new_arg = HASH(0x1f44
+c8c)
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_peer_verify = 0
LWP::Protocol::https::Socket=GLOB(0x215a744) ssl_version = 23

##################################################################
Connection: Keep-Alive
Date: Thu, 26 Feb 2009 17:58:28 GMT
Accept-Ranges: bytes
Server: Apache
Content-Type: text/html
Content-Type: text/html; charset=UTF-8
Client-Date: Thu, 26 Feb 2009 17:59:54 GMT
Client-Peer: 216.75.21.122:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, I
+nc./OU=http://certificates.godaddy.com/repository/
CN=Go Daddy Secure Certification Authority/serialNumber=07969287
Client-SSL-Cert-Subject: /O=www.modsecurity.org/OU=Domain Control Vali
+dated/CN=www.modsecurity.org
Client-SSL-Cipher: DHE-RSA-AES256-SHA
Client-SSL-VERSION: 23
Client-SSL-Warning: Peer certificate not verified
Client-Transfer-Encoding: chunked
Keep-Alive: timeout=15, max=100
Link: <ms.css>; rel="StyleSheet"; type="text/css"
Link: <favicon.ico>; rel="shortcut icon"; type="image/x-icon"
Title: ModSecurity: Open Source Web Application Firewall
X-Meta-Citydesk: 69C8DF18/12
X-Meta-Description: ModSecurity is an open source web application fire
+wall. Working embedded in the web server, or stand
alone as a network appliance, it detects and prevents attacks against 
+web applications.
X-Meta-Generator: Fog Creek CityDesk 2.0.25
X-Meta-Keywords: web application firewall, application firewall, intru
+sion detection, intrusion prevention, open source,
 web security, application security, web application security, applica
+tion gateway

##################################################################
[download]

Ah... now we're getting somewhere. Thank you. I'll take a closer look at that early next week and follow up.

As for the "hire someone to do it" comment... I am the someone. I've just never had to worry about SSL protocol versions.

- Phil

If it's important that you get this setup right, hire someone to do it; or read alot of setup docs and tutorials, so it's done right. Google for "libssh tutorials"