Re: LWP and Windows certificates store

I've written a few LWP programs using SSL.

There could be some errors here (I often learn stuff while investigating Posts), but basically the SSL protocol provides you with the certificate...for you to verify and establish the connection. You don't provide the server with anything that is stored in a local file.

Occasionally you will see things like "certificate expired" or some such error. It is possible for you to make an "exception to the rule" and allow this connection. In this case, you would consult some "rule" stored on your computer or ask the user. But in general if the Server has a valid certificate, you don't need to do anything.

I found this post on stackoverflow validate SSL Certificate. It appears that if you use the most recent version of LWP:
use LWP::UserAgent 6;
LWP will validate that the server cert is valid, LWP >=6.03 and solves a host_name spoof issue - (may or not be a problem for you).

How to override that and continue with an apparently invalid certificate is something that I do not know. But there are links to some complex stuff. Anyway if the server has a valid cert, I don't see any action for you to do. Basically, it will "just work".

See Microsoft: about certificate errors
and Wiki Public_key_certificate.

You will need to install Crypt-SSLeay, but once you do that, LWP "knows about it" and uses it when you connect via HTTPS. There is nothing more to do. An HTTP connection happens on port 80. An HTTPS connection happens on port 443. LWP will figure that out from the URL.

Update: Yes indeed there can be client files that may be required to talk to an SSL connection. I realized that I actually have such a file (thank you Monks for jogging my memory!). However this, to my recollection, wasn't easy to set up and the sysop had to help me do it. I would ask the OP: is that what you mean?

Comment on Re: LWP and Windows certificates store

Replies are listed 'Best First'.
Re^2: LWP and Windows certificates store by MidLifeXis (Monsignor) on Dec 30, 2011 at 14:33 UTC
Typically, yes. However, there is also the possibility of using a client certificate, which identifies the client to the server. The typical use identifies the server to the client. You can see how this is set up under Apache in the SSL How To document. Update: It appears that LWP (the HTTPS section of the LWP documentation, just in case the previous hardcoded link changes) supports client certificates, but I have not tried it myself, so I cannot verify it. --MidLifeXis	[reply]
Re^2: LWP and Windows certificates store by Eliya (Vicar) on Dec 30, 2011 at 14:32 UTC
but basically the SSL protocol provides you with the certificate... There are also client certificates, which are sometimes used as a (more secure) alternative to basic/md5/kerberos authentication — and I suppose this is what the OP is referring to.	[reply]
Re^3: LWP and Windows certificates store by Marshall (Canon) on Dec 30, 2011 at 14:52 UTC
Now that you mention that, I do have one site that I access and the sysop had to help me because there was a local file that I had to make with a 512 bit public key file. But this was an non-obvious thing to make, rather than a "hey the browser can do it" automatically. Anyway, now that is "set-up", I can open command a window via Putty or FTP stuff to/from this site with Firefox. I haven't had the need to talk to this site via LWP yet. And I wouldn't know how to do it. I await wiser Monks.	[reply]
Re^2: LWP and Windows certificates store by asthaonard (Acolyte) on Dec 30, 2011 at 21:18 UTC
well, yes, i did mean that :) Thank you all for your responses. I'll try to share my experience	[reply]