Certificate host verification with Net::SSLeay::post

OtcFormula has asked for the wisdom of the Perl Monks concerning the following question:

Hello all!

I am using Net::SSLeay::post_https to post a bit of XML to a server using client certificate authentication. To wit:

  ($content, $respstr, %reply_headers) =
    Net::SSLeay::post_https($cfg->{'host'}
                            , $cfg->{'port'}
                            , '/'
                            , ''
                            , $xml
                            , 'text/xml'
                            , $cfg->{'certname'} . ".crt"
                            , $cfg->{'certname'} . ".key"
                           );
[download]

It works great! But sometimes it shouldn't!

It appears that no verification is being performed against the validity of the server certificate. When I use a hostname to connect that is different than the server certificate's DN, I get no warnings, errors, or anything but an otherwise successful connection. When using other languages/libraries with the same input, I get one or another "bad name" type of error.

What do I need to do in order to have Net::SSLeay::post_https verify the server name against the certificate it presents? (And potentially other verifications that should properly be made?)

Thanks!
OF

Comment on Certificate host verification with Net::SSLeay::post_https Download Code

Replies are listed 'Best First'.
Re: Certificate host verification with Net::SSLeay::post_https by Corion (Patriarch) on Oct 30, 2011 at 19:32 UTC
I only have used LWP::UserAgent with its host verification, and at least for the (fixed) hostnames I use, it works. Net::SSLeay has a section on Certificate verification and Certificate Revocation Lists, maybe that one helps you?	[reply]
Re^2: Certificate host verification with Net::SSLeay::post_https by OtcFormula (Novice) on Nov 13, 2011 at 04:10 UTC
Thanks for the helpful link! It looks promising, but doesn't work as written. I now remember having seen it before, but was -- and still am -- confused by the `$ssl` parameter. It's used in various places in that document, but never declared or explained. And the code snippet doesn't compile, naturally, without some way of instantiating it. Any thoughts?	[reply]
Re: Certificate host verification with Net::SSLeay::post_https by Khen1950fx (Canon) on Oct 31, 2011 at 15:01 UTC
To verify the server name against the certificate, I use IO::Socket::SSL. For example... #!/usr/bin/perl use strict; use warnings; use IO::Socket::SSL qw(debug3); use Net::SSLeay qw(post_https); $Net::SSLeay::ssl_version = 3; $\|=1; my $host = 'pause.perl.org:https'; my $port = 443; my $client = IO::Socket::SSL->new( PeerAddr => $host, PeerPort => $port, Proto => 'tcp', SSL_version => 3, SSL_use_cert => 0, SSL_verifycn_scheme => 1, ) or warn &IO::Socket::SSL::errstr; print "Connected\n"; print $client "GET / HTTP/1.0\r\n\r\n"; $client->verify_hostname($host, 'http'); my ( $subject, $issuer, $cn ); print $subject = $client->peer_certificate('subject'); print $issuer = $client->peer_certificate('issuer'); $client->close( SSL_no_shutdown => 1 ); [download]	[reply] [d/l]
Re^2: Certificate host verification with Net::SSLeay::post_https by OtcFormula (Novice) on Nov 13, 2011 at 04:13 UTC
Please remember, I must authenticate with a client certificate. I initially wanted to use `IO::Socket::SSL`, actually. But I've yet to find support for client certificate authentication with it, hence my use of `Net::SSLeay` instead. If you know a way to specify a client certificate for authenticating when using `IO::Socket::SSL`, I'm most certainly all ears with much interest.	[reply]