I am experiencing some issues with a slightly older copy of the IO::Socket::SSL module, it rejects a CA during the handshake where the openssl binary allows it using the same parameters. I was hoping that a fellow monk might point out the obvious for me. Here is what I experience;
Using the following perl code:root#~ openssl s_client -connect srs.neulevel.biz:700 -cert ./my-cert. +pem -key ./my-cert.key -CAfile ca_bundle.pem CONNECTED(00000003) depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority verify return:1 depth=0 /C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/ +resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R) +/CN=epp.neustar.biz verify return:1 --- Certificate chain 0 s:/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/res +ources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R)/CN +=epp.neustar.biz i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- subject=/C=US/O=epp.neustar.biz/OU=GT20684673/OU=See www.geotrust.com/ +resources/cps (c)07/OU=Domain Control Validated - QuickSSL Premium(R) +/CN=epp.neustar.biz issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 1775 bytes and written 3588 bytes ---
Which produces the following output:#!/usr/bin/perl use strict; use warnings; use IO::Socket::SSL qw(debug4); my $client = new IO::Socket::SSL( PeerAddr => "srs.neulevel.biz", PeerPort => 700, Proto => 'tcp', SSL_use_cert => 1, SSL_key_file => "my-cert.key", SSL_cert_file => "my-cert.pem", SSL_ca_file => "ca_bundle.pem", ); if (defined $client) { print <$client>; close $client; } else { warn "I encountered a problem: ", IO::Socket::SSL::errstr(); } warn $! if not defined($client);
It would seem that the error indicates that the ca isn't in the bundle, however the openssl CLI seems to agree with me that it is indeed there.SSL connect attempt failederror:14094418:SSL routines:SSL3_READ_BYTES: +tlsv1 alert unknown ca at /root/biz_test.pl line 6 IO::Socket::INET configuration failed at /root/biz_test.pl line 6 I encountered a problem: IO::Socket::INET configuration failed at /roo +t/biz_test.pl line 20. IO::Socket::SSL: Timeout ...caught at /root/biz_test.pl line 23.
I know you won't be able to reproduce this on your own machine as EPP access is limited by IP ranges and you don't have access to my IPs or certificates. The ca bundle is the standard Verisign root CA bunlde and my-cert was issued by them. I have tried using ca_path => /etc/ssl/certs to include the equfax certs as well, but I receive the same result.
In reply to OpenSSL vs IO::Socket::SSL by marcussen
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |