Comments (8)
from the documentation:
... as an internal representation of a X509* object with SSL_cert ...or as an internal representation of a EVP_PKEY* object with SSL_key
You can get to these presentation by either using Net::SSLeay directly or using the PEM_string2cert and similar function from IO::Socket::SSL::Utils. Same with SSL_ca, where you can give an array of X509* handles.
from p5-io-socket-ssl.
Sorry, I'm always confused during four hours :
in case :
my %sslarg = (
Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 0,
SSL_ca_path => $certdir,
SSL_ca_file => "$certdir/my-ca.pem",
SSL_cert_file => "$certdir/server-cert.pem",
SSL_key_file => "$certdir/server-key.pem",
SSL_use_cert => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_reuse_ctx => 0,
SSL_server => 1,
SSL_version => 'SSLv3',
SSL_cipher_list => 'SHA:AES:3DES:!RC4:!MD5',
SSL_passwd_cb => sub {return "secret"},
);
if(!($socket = IO::Socket::SSL->new( %sslarg )) )
=> it work fine !
in case :
my $ca_cert= '----BEGIN CERTIFICATE ... (PEM formated)';
my $x509 = PEM_string2cert($ca_cert);
my $x509b = CERT_asHash($x509);
my $x509c = PEM_cert2string($x509);
my $x509d = %$x509c;
my %sslarg = (
Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 0,
SSL_ca_path => $certdir,
SSL_ca => $x509, # or other variable
SSL_cert_file => "$certdir/server-cert.pem",
SSL_key_file => "$certdir/server-key.pem",
SSL_use_cert => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_reuse_ctx => 0,
SSL_server => 1,
SSL_version => 'SSLv3',
SSL_cipher_list => 'SHA:AES:3DES:!RC4:!MD5',
SSL_passwd_cb => sub {return "$info{CODESSL}"},
);
if(!($socket = IO::Socket::SSL->new( %sslarg )) )
It said some error of ARRAY nothing of x509, x509b, x509c and x509d worked.
I find not my mistake of method, and I understood of structure x509.h or x509v3.h ...
What should I put into the variable $arg_hash->{SSL_ca} ?
Thanks indeed
from p5-io-socket-ssl.
I seem that the section SSL_ca of SSL.pm don’t work correctly, because I’ve check with a method of SSL_key which work very fine :
my $ca_cert= '----BEGIN CERTIFICATE ... (PEM formated)';
my $srv_pkey = '----BEGIN RSA PRIVATE [...]';
my $ctx = Net::SSLeay::CTX_new() or die "ERROR: CTX_new failed";
Net::SSLeay::CTX_set_options($ctx, &Net::SSLeay::OP_ALL);
my $bio_cert = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()) or die;
Net::SSLeay::BIO_write($bio_cert, $ca_cert) or die "no cert";
my $x509 = Net::SSLeay::PEM_read_bio_X509($bio_cert) or die "no x509 structure";
Net::SSLeay::CTX_use_certificate($ctx, $x509) or die ;
Net::SSLeay::BIO_free($bio_cert);
my $bio_key = Net::SSLeay::BIO_new(Net::SSLeay::BIO_s_mem()) or die;
Net::SSLeay::BIO_write($bio_key, $srv_pkey) or die "no key";
my $evp_pkey = Net::SSLeay::PEM_read_bio_PrivateKey($bio_key,
sub {return "secret"}) or die "no evp_pkey structure";
Net::SSLeay::CTX_use_PrivateKey($ctx, $evp_pkey);
Net::SSLeay::BIO_free($bio_key);
my %sslarg = (
Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 0,
SSL_ca_path => $certdir,
SSL_ca => $x509,
SSL_ca_file => "$certdir/my-ca.pem",
SSL_key => $evp_pkey,
SSL_key_file => "$certdir/server-key.pem",
SSL_cert_file => "$certdir/server-cert.pem",
SSL_use_cert => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_reuse_ctx => 0,
SSL_server => 1,
SSL_version => 'SSLv3',
SSL_cipher_list => 'SHA:AES:3DES:!RC4:!MD5',
SSL_passwd_cb => sub {return "secret"},
);
if(!($socket = IO::Socket::SSL->new( %sslarg )) )
{
print ("unable to create socket: ", &IO::Socket::SSL::errstr, "\n");
warn "unable to create socket: ", &IO::Socket::SSL::errstr, "\n";
exit(0);
}
Thanks your assistance
from p5-io-socket-ssl.
I'm really confused of what you are doing, which is caused by both bad formatting and bad problem description. Please provide a fully working and minimal example with nicely intended code (see help for how to format your messages in a readable way). Also, SSL_ca needs a list of X509* objects (as documented) and not a single object.
from p5-io-socket-ssl.
I've sent you mail (xxx at cpan) and I'm sorry that my language is not very well.
So, I've tested and I've modified .\site\lib\IO\Socket\SSL.pm at 2272 this :
my $store = Net::SSLeay::CTX_get_cert_store($ctx);
# for (@{$arg_hash->{SSL_ca}})
{
# Net::SSLeay::X509_STORE_add_cert($store,$_) or
Net::SSLeay::X509_STORE_add_cert($store,$arg_hash->{SSL_ca}) or return IO::Socket::SSL->error(
"Failed to add certificate to CA store");
}
And they now work fine : SSL_ca as SSL_key. But I don't find an alternative for a variable of $x509 of before correction.
Thanks
from p5-io-socket-ssl.
What you did it is to change the code, so that it uses a single X509* object as the CA list. But the documentation states for a reason that you should give a list of X509* objects, because usually you have not a single CA but multiple (browsers have 100+). Instead your usage is wrong and you should use a list, i.e.
SSL_ca => [ $x509 ]
from p5-io-socket-ssl.
Hi,
ok, Thanks very much but I make two mistakes :
- [] : array of course but
- I've mean a list of x509 this one :
DB<22> x $x509b
0 HASH(0x398c23c)
'crl_uri' => ARRAY(0x398868c)
empty array
'ext' => ARRAY(0x398cddc)
0 HASH(0x39887ac)
'critical' => 0
'data' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx'
'nid' => 82
'oid' => 'X509v3 Subject Key Identifier'
'sn' => 'subjectKeyIdentifier'
1 HASH(0x3992a8c)
'critical' => 0
'data' => 'xx:xx:xx:xx:xx:xx:xx:xx:xx'
DirName:/C=FR/ST=PARIS/L=xx/O=xx/OU=xx/CN=xx/name=xx/emailAddress=xx
serial:xx:xx:xx:xx:xx:xx:xx:xx:xx
'nid' => 90
'oid' => 'X509v3 Authority Key Identifier'
'sn' => 'authorityKeyIdentifier'
2 HASH(0x398bd84)
'critical' => 1
'data' => 'CA:TRUE'
'nid' => 87
'oid' => 'X509v3 Basic Constraints'
'sn' => 'basicConstraints'
3 HASH(0x3992b8c)
Thanks,
They work all fine !
from p5-io-socket-ssl.
I've updated the documentation to make it more clear which kind of objects are expected and how to get them.
from p5-io-socket-ssl.
Related Issues (20)
- Use of uninitialized value $2 in concatenation (.) or string at /usr/local/lib/perl5/site_perl/IO/Socket/SSL.pm line 792. HOT 2
- SSL Handshake fails with smtp.office365.com HOT 2
- make test fails HOT 2
- && 'unknown' ? HOT 1
- non-existent function Net::SSLeay::SSL_alert_desc_string_long called in ossl_trace HOT 1
- Prompt user to re-install Net::SSLeay HOT 3
- IO::Socket::SSL issue with https connect and https proxy HOT 1
- Add GitHub Actions HOT 1
- get_fingerprint segfaults HOT 2
- OpenSSL runtime check is too strict for >=openssl-3
- Request for support for Net::SSLeay::get_finished() support HOT 2
- Outdated document about the default SSL_version HOT 2
- Wrong duplicate SSL_WANT_READ check in stop_SSL for sockets in blocking mode
- The ossl_trace debug function may corrupt the value of $! (heisenbug)
- Errors occurring during SSL shutdown in stop_SSL are ignored for blocking sockets
- The SSL error queue isn't cleared when unexpected EOF is encountered during read operation
- Failed test 'Client non-SSL connection' HOT 13
- t/external/ocsp.t fails HOT 1
- Failed test 'Client non-SSL connection' HOT 3
- Using SSL_verify_callback in server mode HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from p5-io-socket-ssl.