PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
LWP SSL verify_hostname Setting
This section provides a tutorial example on using the SSL verify_hostname setting and related settings: SSL_ca_path and SSL_ca_file.
After reading the LWP library documentation again at https://metacpan.org/pod/LWP, I see that it supports 3 SSL related options:
PERL_LWP_SSL_VERIFY_HOSTNAME - A Boolean flag to turn on or turn off the server certificate verification. The default is TRUE. PERL_LWP_SSL_VERIFY_HOSTNAME can be specified in a couple of ways.
PERL_LWP_SSL_CA_PATH - The path to a directory containing files containing Certificate Authority certificates. The default is to use Perl default folder of root CA certificates. PERL_LWP_SSL_CA_PATH can be specified in a couple of ways.
PERL_LWP_SSL_CA_FILE - The path to a file containing Certificate Authority certificates. PERL_LWP_SSL_CA_FILE can be specified in a couple of ways.
Here is my Perl script that proves the LWP library is verifying server certificate:
#- LWP_HTTPS_Verify_Hostname.pl #- Copyright (c) 2010-2018 HerongYang.com. All Rights Reserved. # use LWP; use LWP::UserAgent; my ($url) = @ARGV; my $client = LWP::UserAgent->new; my $request = HTTP::Request->new('GET', 'https://login.yahoo.com'); my @keys = $client->ssl_opts; foreach $k (@keys) { $v = $client->ssl_opts($k); print "$k = ($v)\n"; } # $client->ssl_opts("verify_hostname" => 1); # $client->ssl_opts("SSL_ca_file" => "junk.crt"); $client->ssl_opts("SSL_ca_path" => "."); my @keys = $client->ssl_opts; foreach $k (@keys) { $v = $client->ssl_opts($k); print "$k = ($v)\n"; } my $response = $client->request($request); $response->is_success or die "Failed to GET '$url': ", $response->status_line; print "Request:\n"; print $request->as_string; print "Response:\n"; print $response->as_string;
Now let's run this script to connect the yahoo login HTTPS server again.
herong> perl LWP_HTTPS_Verify_Hostname.pl https://login.yahoo.com verify_hostname = (1) SSL_ca_path = (.) verify_hostname = (1) Failed to GET '': 500 Can't connect to login.yahoo.com:443 (certificate verify failed) at C:\herong\LWP_HTTPS_Verify_Host.pl line 28.
The "certificate verify failed" error confirms that server certificate verification was performed and failed. This is expected because SSL_ca_path is set to the current directory, and there is no root CA certificates.
You can fix the error in 3 two ways:
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
►Perl Scripts Communicating with HTTPS Servers
Installing Crypt::SSLeay 0.72 on Windows
►LWP SSL verify_hostname Setting
LWP SSL List of Root CA Certificates
Crypt::SSLeay Test Perl Script
HTTPS Request and Response Example
Asking Crypt::SSLeay to Verify Server's Certificate
Crypt::SSLeay Failing to Verify Server's Certificate
Multiple CA Certificates in a Single File
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3