Goal: validate ssl website with trusted Certificate Authorities as well as expiration date checking
OS: Ubuntu 10.04+
Essential Packages:
- openssl (built with ubuntu)
- libssl-dev (needed to compile Net::SSLeay)
- Net::SSLeay
- IO::Socket::SSL (INET would works as well, but SSL saves some typing)
Install the essential packages with apt-get and cpan. The module documentation is pretty good, so coding is fairly easy granted that all required packages are compiled and installed properly. Here's an sample snippet of the code followed by the caveat I experienced in this process.
Caveat: I ran into issues when installing Net::SSLeay initially because the box was missing libssl-dev, which it needs to compile the source code with. It is critical to compile Net::SSLeay with the native version of openssl installed on the system which is "OpenSSL 0.9.8k 25 Mar 2009".
I mistakenly download the latest version of Openssl (1.0.1c 10 May 2012) and make installed it on the system to allow installation of Net::SSLeay. Wrong move! Net::SSLeay appeared to install fine, but it's using the manually built Openssl which fail to authenticate peer certificates with "-CApath" flag turned on. I ran it on the command line like so:
openssl s_client -connect test.website.com:443 -CApath /etc/ssl/certs
The same command executed on manual built openssl would yield errors saying "SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" on any known trusted websites. The error suppose to indicate authentication failure.
As a result, IO::Socket::SSL wouldn't work correctly when initialized with "SSL_ca_path" since it's using the wrongly compiled Net::SSLeay. I removed the hand built openssl, installed the libssl-dev, and reinstall Net::SSLeay, then IO::Socket::SSL started working correctly.
Another observation is that the two versions of openssl have different "OPENSSLDIR" in the environment. I tried to setup the ca directory the same way with sym links, but it didn't resolve the issue.
Other resources:
No comments:
Post a Comment