perl IO::Socket::SSL SSL connect attempt failed

Question

on i start io::socket::ssl tls conncetion

my example it is work with google and facebook but it is not work with sip tls server

that is sip tls server

I am having trouble skipping the certificate

#/usr/bin/perl
use IO::Socket::SSL;

start_connection("2.50.44.55:5061");

sub start_connection{
    my @parms = @_;
    my $host  = $parms[0];
 
    my $sock = IO::Socket::SSL->new(
        PeerAddr => $host,
        SSL_startHandshake => 0,
    ) or die $!;
    $sock->connect_SSL() or die $SSL_ERROR;
    print "Good Connection"
}

on i setart conncet i have this error

SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at dd.pl line 14

Answer 1

You are using a self-signed certificate here. IO::Socket::SSL by default checks that the certificate can be trusted and a self-signed certificate cannot be trusted unless explicitly known by the client. While you could simply disable certificate validation this would basically disable any meaningful security since some man in the middle attacker could impersonate the real server without the client noticing it.

The best way would probably to get a certificate signed by a publicly trusted CA, like Let's Encrypt. If you insist on using a self-signed certificate though you might specifically trust this certificate by using the SSL_fingerprint option.

To get the necessary certificate fingerprint:

 $ echo | openssl s_client -connect 2.50.44.55:5061 |\
    openssl x509 -noout -fingerprint
 ...
 SHA1 Fingerprint=CE:68:62:68:30:EA:F4:64:82:F5:5C:B7:FB:F4:DA:1B:77:88:9F:DD

Then to use this fingerprint with IO::Socket::SSL

my $sock = IO::Socket::SSL->new(
    PeerAddr => '2.50.44.55:5061',
    SSL_fingerprint => 'sha1$CE68626830EAF46482F55CB7FBF4DA1B77889FDD'
) or die $SSL_ERROR;