PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Asking Crypt::SSLeay to Verify Server's Certificate
This section provides a tutorial example on how to ask Crypt::SSLeay to verify HTTPS server's certificate using the HTTPS_CA_FILE environment variable.
From the previous section, we learned that Crypt::SSLeay does not perform any verification on the server's certificate by default. The question is then how to ask Crypt::SSLeay to verify server's certificate?
Reading the Crypt::SSLeay documentation again, I see these environment variable settings:
# CA cert peer verification
$ENV{HTTPS_CA_FILE} = 'certs/ca-bundle.crt';
$ENV{HTTPS_CA_DIR} = 'certs/';
To play with these settings, I need to:
1. Get a copy of the root CA certificate that for login.yahoo.com certificate. This can be done by using Firefox 3 to visit https://login.yahoo.com. Read the Firefox 3 chapter of this book for more details.
2. Modify the Crypt::SSLeay test Perl script:
#- Crypt_SSLeay_HTTPS_GET_with_CA.pl
#- Copyright (c) 2010-2018 HerongYang.com. All Rights Reserved.
#
use LWP::UserAgent;
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_CA_FILE} = "CA_Bundle.crt";
my ($url) = @ARGV;
my $client = LWP::UserAgent->new;
my $request = HTTP::Request->new('GET', $url);
my $response = $client->request($request);
$response->is_success or
die "Failed to GET '$url': ", $response->status_line;
print "Request:\n";
print $request->as_string;
print "Response:\n";
print $response->as_string;
3. Run the modified test script:
herong> perl Crypt_SSLeay_HTTPS_GET_with_CA.pl https://login.yahoo.com SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL_connect:SSLv3 read server hello A SSL_connect:SSLv3 read server certificate A SSL_connect:SSLv3 read server done A SSL_connect:SSLv3 write client key exchange A SSL_connect:SSLv3 write change cipher spec A SSL_connect:SSLv3 write finished A SSL_connect:SSLv3 flush data SSL_connect:SSLv3 read finished A Request: GET https://login.yahoo.com User-Agent: libwww-perl/5.836 Response: HTTP/1.1 200 OK Cache-Control: private Connection: close Pragma: no-cache Content-Type: text/html Expires: 0 Client-Peer: 69.147.112.160:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com /CN=DigiCert High Assurance CA-3 Client-SSL-Cert-Subject: /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc. /CN=login.yahoo.com Client-SSL-Cipher: AES256-SHA Client-Transfer-Encoding: chunked Link: <https://s.yimg.com/lq/i/reg/css/yregbase_sec_ui_1_9.css>; ... "; type="text/css" P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP ... Title: Sign in to Yahoo! X-Frame-Options: DENY <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.... <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Sign in to Yahoo!</title> ...
Cool, "Client-SSL-Warning: Peer certificate not verified" message is gone now!
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
►Perl Scripts Communicating with HTTPS Servers
Installing Crypt::SSLeay 0.72 on Windows
LWP SSL verify_hostname Setting
LWP SSL List of Root CA Certificates
Crypt::SSLeay Test Perl Script
HTTPS Request and Response Example
►Asking Crypt::SSLeay to Verify Server's Certificate
Crypt::SSLeay Failing to Verify Server's Certificate
Multiple CA Certificates in a Single File
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3