Certificate error in Perl

2019-08-27 12:10发布

站内问答 / 后端开发
575 1 6

I am connecting to a CAS server. But My CAS server certificate is expired and due to this getting below error:

error SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed unable to connect https://<domain Name>:443/

To avoid this error few suggestion is like verify_hostname & verify_ssl to "0". But it's not solving the issue. Can anyone help?

Perl version: 5.22
LWP:6.0.16

标签: perl ssl
举报
1条回答
乱世女痞
2楼-- · 2019-08-27 12:38

To avoid this error few suggestion is like verify_hostname & verify_ssl to "0"

If you would follow these suggestions then you should ask yourself why do you use https at all. Because ignoring certificate errors means that man in the middle attacks are possible and thus the protection TLS should offer simply vanishes.

To connect to a server where the certificate cannot be properly validated by normal means you have to use a different kind of verification instead of no verification at all. Support for https in current versions of LWP is realized using IO::Socket::SSL. This module offers a simple mechanism to deal with such problems by comparing the fingerprint of the certificate against the expected fingerprint.

First you need to get the current fingerprint of the certificate. This can be done with some openssl commands or if you are sure that there is currently no man in the middle attack you could simply access the server:

use strict;
use warnings;
use IO::Socket::SSL 1.980;

my $dst = 'bad-cert.example.com';
my $cl = IO::Socket::SSL->new(
    PeerAddr => $dst,
    PeerPort => 443,
    # certificate cannot be validated the normal way, so we need to 
    # disable validation this one time in the hope that there is 
    # currently no man in the middle attack 
    SSL_verify_mode => 0,
) or die "connect failed";
my $fp = $cl->get_fingerprint;
print "fingerprint: $fp\n";

This will give you a fingerprint with hash algorithm, i.e. something like sha256$55a5dfaaf.... This fingerprint then can be used to validate the certificate in future calls:

use strict;
use warnings;
use IO::Socket::SSL 1.980;
use LWP::UserAgent;

my $dst = ....;   # from above example
my $fp = ....;    # from above example
my $ua = LWP::UserAgent->new(ssl_opts => { SSL_fingerprint => $fp });
my $resp = $ua->get("https://$dst");
print $resp->content;

Apart from that please not that there is a reason certificates expire. After the expiration time no more revocations will be tracked. This means you have to really know that this certificate is definitely not revoked, because no CA will tell you.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)