WWW::Mechanize SSL certificate not verified (Encrypted Alert 21 - Decryption failed)

Question

I'm trying to login in to my ebay account securely using Perl's WWW::Mechanize.

my $m = new WWW::Mechanize(agent => 'Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16',
               ssl_opts =>
               {
                   SSL_version => 'SSLv3',
                   SSL_ca_path => '/etc/ssl/certs',
                   verify_hostname => 1,

               });
$m->get("https://m.ebay.de/signin");
$m->form_with_fields('userName', 'pass');
$m->field('userName', $user);
$m->field('pass', $pass);
$m->submit_form();

I added a handler beforehand to see the actual HTTP response I get from the server.

$m->add_handler("response_done", sub { shift->dump; return });

This is what comes back after submitting the form:

HTTP/1.1 302 Found
Date: Wed, 05 Feb 2014 13:11:33 GMT
Location: https://m.ebay.de/signin
Server: eBay Server
Content-Length: 0
Client-Date: Wed, 05 Feb 2014 13:11:34 GMT
Client-Peer: 66.135.213.196:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
Client-SSL-Cert-Subject: /C=US/ST=California/L=San Jose/O=eBay Inc./OU=Site Operations/CN=m.ebay.com
Client-SSL-Cipher: RC4-MD5
Client-SSL-Warning: Peer certificate not verified
RlogId: t6nrce9%3Fvo%7B%3Dd70f%2B2250-144022ccc1b-0x91
Set-Cookie: dp1=bu1p/QEBfX0BAX19AQA**54d36c06^;Domain=.ebay.de;Expires=Fri, 05-Feb-2016 13:11:34 GMT;Path=/ 
Set-Cookie: s=CgAD4ACBS84oGMDIyY2M4NzQxNDQwYTYyMGY1ZjdhMzM1ZmZmZmEwZWS3nFsy;Domain=.ebay.de;Path=/; HttpOnly  
Set-Cookie: nonsession=CgADLAAFS8j+OMgDKACBcWDoGMDIyY2M4NzQxNDQwYTYyMGY1ZjdhMzM1ZmZmZmEwZWTqBmVA; Domain=.ebay.de;Expires=Thu, 05-Feb-2015 13:11:34 GMT;Path=/ 
X-EBAY-C-REQUEST-ID: 022ccc0b1440a2a8e48d914affffffff

So why do I get this warning? Client-SSL-Warning: Peer certificate not verified

The HTTP 302 I get from the server redirects me back to the signin page and the server didn't log me in to ebay.

I opened up Wireshak to see what was going on the SSL level. The SSL handshake goes well but after this after some Application Data has been sent by the server, the server sends me an Encrypted Alert 21 - "Decryption failed"

Why do I get this encrypted alert, what does it mean and what does the server not like? Thank you very much.

Steffen Ullrich · Accepted Answer

It looks like you combined a recent version of libwww-perl (LWP::UserAgent) with an LWP::Protocol::https from an older installation of libwww-perl. Current versions of LWP::Protocol::https add Client-SSL-Socket-Class header which is not in your output. These older versions preferred Crypt::SSLeay/Net::SSL, newer versions use IO::Socket::SSL as SSL backend. But Crypt::SSLeay does not use the SSL_ca_path setting, it is instead controlled by environment variables. And it has no proper hostname verification etc.

To clean up the mess you might try to install a newer version of LWP::Protocol::https. In old times this was bundled with libwww-perl, but now it is a separate module which explains how you came to this mess (e.g only upgrading libwww-perl worked). I would also suggest to upgrade to a newer version of IO::Socket::SSL, because the one you use is also fairly old (nearly 4 years) and lots of features and fixes were added in the meantime.

To check that your installation is correct: "perl -MLWP::Protocol::https -e 'print $LWP::Protocol::https::VERSION'" should give you a version of 6.04.

WWW::Mechanize SSL certificate not verified (Encrypted Alert 21 - Decryption failed)

Answers (2)

Related Questions