Asking Crypt::SSLeay to Verify Server's Certificate

This section provides a tutorial example on how to ask Crypt::SSLeay to verify HTTPS server's certificate using the HTTPS_CA_FILE environment variable.

From the previous section, we learned that Crypt::SSLeay does not perform any verification on the server's certificate by default. The question is then how to ask Crypt::SSLeay to verify server's certificate?

Reading the Crypt::SSLeay documentation again, I see these environment variable settings:

  # CA cert peer verification
  $ENV{HTTPS_CA_FILE}   = 'certs/ca-bundle.crt';
  $ENV{HTTPS_CA_DIR}    = 'certs/';

To play with these settings, I need to:

1. Get a copy of the root CA certificate that for login.yahoo.com certificate. This can be done by using Firefox 3 to visit https://login.yahoo.com. Read the Firefox 3 chapter of this book for more details.

2. Modify the Crypt::SSLeay test Perl script:

#- Crypt_SSLeay_HTTPS_GET_with_CA.pl
#- Copyright (c) 2011, HerongYang.com, All Rights Reserved.
#
use LWP::UserAgent;
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_CA_FILE} = "CA_Bundle.crt";

my ($url) = @ARGV;
my $client = LWP::UserAgent->new;
my $request = HTTP::Request->new('GET', $url);
my $response = $client->request($request);
$response->is_success or
    die "Failed to GET '$url': ", $response->status_line;

print "Request:\n";
print $request->as_string;
print "Response:\n";
print $response->as_string;

3. Run the modified test script:

C:\herong>Crypt_SSLeay_HTTPS_GET_with_CA.pl https://login.yahoo.com 

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A

Request:
GET https://login.yahoo.com
User-Agent: libwww-perl/5.836

Response:
HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: 0
Client-Peer: 69.147.112.160:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com
   /CN=DigiCert High Assurance CA-3
Client-SSL-Cert-Subject: /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc.
   /CN=login.yahoo.com
Client-SSL-Cipher: AES256-SHA
Client-Transfer-Encoding: chunked
Link: <https://s.yimg.com/lq/i/reg/css/yregbase_sec_ui_1_9.css>; ...
"; type="text/css"
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP ...
Title: Sign in to Yahoo!
X-Frame-Options: DENY


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3....
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sign in to Yahoo!</title>
...

Cool, "Client-SSL-Warning: Peer certificate not verified" message is gone now!

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

Perl Scripts Communicating with HTTPS Servers

 Installing Crypt::SSLeay 0.57 on Windows

 Crypt::SSLeay Test Perl Script

 HTTPS Request and Response Example

Asking Crypt::SSLeay to Verify Server's Certificate

 Crypt::SSLeay Failing to Verify Server's Certificate

 Multiple CA Certificates in a Single File

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version