CODEWITHSUNDEEP
perlssl
Souvik
Souvik

Reputation: 1269

Certificate error in Perl

I am connecting to a CAS server. But My CAS server certificate is expired and due to this getting below error:

error SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed unable to connect https://<domain Name>:443/

To avoid this error few suggestion is like verify_hostname & verify_ssl to "0". But it's not solving the issue. Can anyone help?

Perl version: 5.22
LWP:6.0.16

Upvotes: 0

Views: 4143

Answers (1)

Steffen Ullrich
Steffen Ullrich

Reputation: 123260

To avoid this error few suggestion is like verify_hostname & verify_ssl to "0"

If you would follow these suggestions then you should ask yourself why do you use https at all. Because ignoring certificate errors means that man in the middle attacks are possible and thus the protection TLS should offer simply vanishes.

To connect to a server where the certificate cannot be properly validated by normal means you have to use a different kind of verification instead of no verification at all. Support for https in current versions of LWP is realized using IO::Socket::SSL. This module offers a simple mechanism to deal with such problems by comparing the fingerprint of the certificate against the expected fingerprint.

First you need to get the current fingerprint of the certificate. This can be done with some openssl commands or if you are sure that there is currently no man in the middle attack you could simply access the server:

use strict;
use warnings;
use IO::Socket::SSL 1.980;

my $dst = 'bad-cert.example.com';
my $cl = IO::Socket::SSL->new(
    PeerAddr => $dst,
    PeerPort => 443,
    # certificate cannot be validated the normal way, so we need to 
    # disable validation this one time in the hope that there is 
    # currently no man in the middle attack 
    SSL_verify_mode => 0,
) or die "connect failed";
my $fp = $cl->get_fingerprint;
print "fingerprint: $fp\n";

This will give you a fingerprint with hash algorithm, i.e. something like sha256$55a5dfaaf.... This fingerprint then can be used to validate the certificate in future calls:

use strict;
use warnings;
use IO::Socket::SSL 1.980;
use LWP::UserAgent;

my $dst = ....;   # from above example
my $fp = ....;    # from above example
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_fingerprint => $fp });
my $resp = $ua->get("https://$dst");
print $resp->content;

Apart from that please not that there is a reason certificates expire. After the expiration time no more revocations will be tracked. This means you have to really know that this certificate is definitely not revoked, because no CA will tell you.

Upvotes: 4

Related Questions