Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 115729
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: flagg [...] onet.eu
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 2.029
Fixed in: (no value)



Subject: Problem with cert-chain in P12
Download (untitled) / with headers
text/plain 714b
Hey, I probably found a bug with handling cert-chain embedded in *.p12 files - chained certs are not used by IO::Socket::SSL at all. However all is working fine, if I extract them with IO::Socket::SSL::Utils, write to a file (*.pem) and then specify this file through "SSL_ca_file". Example of code: ############### my ( undef, undef, @chn ) = Net::SSLeay::P_PKCS12_load_file( $p12, 1, $key ); open( my $fh, '>', $ca_file ) or die $!; print $fh map { PEM_cert2string( $_ ); } @chn; close( $fh ); CERT_free( $_ ) for @chn; ############### I found this on Windows platform, however it seems that things go in the same way on Linux Debian. Ps. I've checked this only in the latest version of IO::Socket::SSL.
Download (untitled) / with headers
text/plain 859b
Am Mi 29. Jun 2016, 10:27:31, STRZELEC schrieb: Show quoted text
> Hey, > I probably found a bug with handling cert-chain embedded in *.p12 > files - chained certs are not used by IO::Socket::SSL at all. However > all is working fine, if I extract them with IO::Socket::SSL::Utils, > write to a file (*.pem) and then specify this file through > "SSL_ca_file". Example of code:
I cannot reproduce the problem, i.e. openssl s_client shows that it adds all chain certificates from the PKCS12 file. But if you have multiple chain certificates it adds these in the wrong order which might cause problems. Please try the latest version in git if this fixes your problem: https://github.com/noxxi/p5-io-socket-ssl/commit/e329b07e2e784 If it does not get fixed I would need a sample PKCS12 where you get this issue, because with the samples I've generated I don't have the issue.
Download (untitled) / with headers
text/plain 1.2k
Still the same. I've attached *.p12 file for a test user. I'm using IO::Socket::SSL through LWP::UserAgent with options as below (maybe there is a problem). ############## verify_hostname => 0, SSL_use_cert => 1, SSL_ca_file => $chn, # workaround SSL_cert_file => $p12, SSL_passwd_cb => sub { $key }, ############## On Wed Jun 29 12:15:09 2016, SULLR wrote: Show quoted text
> Am Mi 29. Jun 2016, 10:27:31, STRZELEC schrieb:
> > Hey, > > I probably found a bug with handling cert-chain embedded in *.p12 > > files - chained certs are not used by IO::Socket::SSL at all. However > > all is working fine, if I extract them with IO::Socket::SSL::Utils, > > write to a file (*.pem) and then specify this file through > > "SSL_ca_file". Example of code:
> > I cannot reproduce the problem, i.e. openssl s_client shows that it > adds all chain certificates from the PKCS12 file. But if you have > multiple chain certificates it adds these in the wrong order which > might cause problems. Please try the latest version in git if this > fixes your problem: https://github.com/noxxi/p5-io-socket- > ssl/commit/e329b07e2e784 > > If it does not get fixed I would need a sample PKCS12 where you get > this issue, because with the samples I've generated I don't have the > issue.
Subject: testes.7z
Download testes.7z
application/x-7z-compressed 9.4k

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 722b
Show quoted text
> ############## > verify_hostname => 0, > SSL_use_cert => 1, > SSL_ca_file => $chn, # workaround > SSL_cert_file => $p12,
I'm not sure what you are trying to do here, but SSL_cert_file is used as the client certificate which gets verified by the server while SSL_ca_file is used by the client to verify the servers certificate. No information from the client certificate should be used to verify the servers certificate, so if you expect this you might have the wrong expectation. When I use your example pkcs12 file in both client and server it successfully sends the client or server certificate with the full chain provided in the pkcs12 file. And this is all it should do.
Download (untitled) / with headers
text/plain 362b
I've expected that if client and server have certs from exactly the same CA, a chain from *.p12 on a client side will be used to verify server cert (just as chain supplied in SSL_ca_file). However I understand that things are going in other way (and this could be only on a wish list ;), so this thread should be closed. Thank You for your time and explanation.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.