My task is to maintain and troubleshoot certificates for a variety of devices that present as SSL servers. Of particular importance are subject and issuer (self-signed certs are bad), expiration date (so that it can be replaced in advance), and commonName, subjectAltNames (so that certificate validation mechanisms can be debugged.

On the one hand,

 eval {
   $sock = Net::SSL->new(
     PeerAddr  => $ip,
     PeerPort  => $port,
     SSL_Debug => 0,
     Timeout   => 30,
   );
   $sock || warn "No Net::SSL session for IP $ip:$port\n";
 };
 if ($sock) {
   my $cert = $sock->get_peer_certificate;
   if ($cert) {
     print join( "\t",
       $host, $interface, $ip, $port, $cert->issuer_name,
       $cert->subject_name, $cert->not_before, $cert->not_after ),
       "\n";
   } else {
     print join( "\t",
       $host, $interface, $ip, $port, 'no certificate found' ),
       "\n";
   }
 } else {
   print join( "\t", $host, $interface, $ip, $port,
     'no connection found' ), "\n";
 }
[download]

works well for issuer, subject, and expiration; but

  my $client = IO::Socket::SSL->new("$ip:$port");
  if ($client) {
    print join(
      "\t", $host,
      $interface,
      $ip, $port,
      map( $client->peer_certificate($_),
        qw(authority owner commonName subjectAltNames) )
      ),
      "\n";
  } else {
    print join( "\t", $host, $interface, $ip, $port, 'no connection' )
+,
      "\n";
  }
[download]

seems best at grabbing subjectAltNames (and parsing out the CN).

I believe these are all built on openssl binaries and the Net::SSLeay, but I don't seem to have the hooks I need in a single package.

Rather than making two calls to each server, one via IO::Socket::SSL and one via Net::SSL is there a way to optimize this?

advTHANKSance,