Skip Menu |
 

This queue is for tickets about the Crypt-SSLeay CPAN distribution.

Report information
The Basics
Id: 31501
Status: rejected
Priority: 0/
Queue: Crypt-SSLeay

People
Owner: nanis [...] runu.moc.invalid
Requestors: jonasbn [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in:
  • 0.51
  • 0.57
Fixed in: (no value)



Subject: Issues with HTTPS_CA_DIR env variable
Hello, I have been fighting a proxy for some days now in an attempt to get LWP::UserAgent to work with SSL over this proxy. Finally we are getting somewhere and data are pouring through, but I am experiencing a configuration problem with Crypt::SSLeay. We are using a self-signed certificate since we are running SSL internally. So I got a certificate from the back-end, when I define this in the environment variable: HTTPS_CA_FILE and put it in my certs/ directory nothing works. If I put it together with my prototype script in that local directory it works. If I define HTTPS_CA_DIR and points this to 'certs' or even 'certs/' or '/home/jonasbn/certs/' nothing works. If I define HTTPS_CA_FILE to the full directory string '/home/jonasbn/certs/myca.crt' it works. It seems as if the HTTPS_CA_DIR environment variable is not respected or put to proper use. I attempted to debug this, but had no luck nailing the exact place where it goes bad. I am willing to answers questions on the above set up and run more tests. Thank you, jonasbn
Subject: Re: [rt.cpan.org #31501] Issues with HTTPS_CA_DIR env variable
Date: Thu, 13 Dec 2007 22:32:10 +0100
To: bug-Crypt-SSLeay [...] rt.cpan.org
From: David Landgren <david [...] landgren.net>
Download (untitled) / with headers
text/plain 1.4k
Jonas B. Nielsen via RT wrote: Show quoted text
> Thu Dec 13 15:45:26 2007: Request 31501 was acted upon. > Transaction: Ticket created by JONASBN > Queue: Crypt-SSLeay > Subject: Issues with HTTPS_CA_DIR env variable > Broken in: 0.51, 0.57 > Severity: (no value) > Owner: Nobody > Requestors: JONASBN@cpan.org > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=31501 > > > > Hello, > > I have been fighting a proxy for some days now in an attempt to get > LWP::UserAgent to work with SSL over this proxy. > > Finally we are getting somewhere and data are pouring through, but I am > experiencing a configuration problem with Crypt::SSLeay. > > We are using a self-signed certificate since we are running SSL internally. > > So I got a certificate from the back-end, when I define this in the > environment variable: HTTPS_CA_FILE and put it in my certs/ directory > nothing works. If I put it together with my prototype script in that > local directory it works. > > If I define HTTPS_CA_DIR and points this to 'certs' or even 'certs/' or > '/home/jonasbn/certs/' nothing works. > > If I define HTTPS_CA_FILE to the full directory string > '/home/jonasbn/certs/myca.crt' it works. > > It seems as if the HTTPS_CA_DIR environment variable is not respected or > put to proper use. I attempted to debug this, but had no luck nailing > the exact place where it goes bad.
Hi Jonas, let me have a look at this and I'll get back to you. Thanks, David
Download (untitled) / with headers
text/plain 2.6k
Hello: Thank you for the report. For reference, see http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html In a nutshell, $ENV{HTTPS_CA_DIR} is *not* a prefix. From the documentation referenced above: Show quoted text
> If CAfile is not NULL, it points to a file of CA certificates > in PEM format. The file can contain several CA certificates
That is, $ENV{HTTPS_CA_FILE} must contain the full path to the certificate file. The library does not try to construct the path to the file using $ENV{HTTPS_CA_DIR} and $ENV{HTTPS_CA_FILE}. Show quoted text
> If CApath is not NULL, it points to a directory containing CA > certificates in PEM format. The files each contain one CA > certificate. The files are looked up by the CA subject name hash > value, which must hence be available. If more than one CA certificate > with the same name hash value exist, the extension must be different > (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the > ordering of the extension number, regardless of other properties of > the certificates. Use the c_rehash utility to create the necessary > links.
Note the naming requirement for certificate files in $ENV{HTTPS_CA_DIR}. If you want to put your 'myca.crt' file in $ENV{HTTPS_CA_DIR} and have it be located that way, you need to create a symlink to it (in #ENV{HTTPS_CA_DIR} using the c_rehash utility. I know this is three years too late, but hope it helps someone. Once again, thanks for the report. However, I do not think this is a bug with Crypt-SSLeay. -- Sinan On Thu Dec 13 15:45:26 2007, JONASBN wrote: Show quoted text
> Hello, > > I have been fighting a proxy for some days now in an attempt to get > LWP::UserAgent to work with SSL over this proxy. > > Finally we are getting somewhere and data are pouring through, but I am > experiencing a configuration problem with Crypt::SSLeay. > > We are using a self-signed certificate since we are running SSL
internally. Show quoted text
> > So I got a certificate from the back-end, when I define this in the > environment variable: HTTPS_CA_FILE and put it in my certs/ directory > nothing works. If I put it together with my prototype script in that > local directory it works. > > If I define HTTPS_CA_DIR and points this to 'certs' or even 'certs/' or > '/home/jonasbn/certs/' nothing works. > > If I define HTTPS_CA_FILE to the full directory string > '/home/jonasbn/certs/myca.crt' it works. > > It seems as if the HTTPS_CA_DIR environment variable is not respected or > put to proper use. I attempted to debug this, but had no luck nailing > the exact place where it goes bad. > > I am willing to answers questions on the above set up and run more tests. > > Thank you, > > jonasbn
Download (untitled) / with headers
text/plain 2.8k
See also http://www.tin.org/bin/man.cgi?section=1&topic=c_rehash On Wed Aug 11 20:47:19 2010, NANIS wrote: Show quoted text
> Hello: > > Thank you for the report. > > For reference, see > http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html > > In a nutshell, $ENV{HTTPS_CA_DIR} is *not* a prefix. > > From the documentation referenced above: >
> > If CAfile is not NULL, it points to a file of CA certificates > > in PEM format. The file can contain several CA certificates
> > That is, $ENV{HTTPS_CA_FILE} must contain the full path to the > certificate file. The library does not try to construct the path to the > file using $ENV{HTTPS_CA_DIR} and $ENV{HTTPS_CA_FILE}. >
> > If CApath is not NULL, it points to a directory containing CA > > certificates in PEM format. The files each contain one CA > > certificate. The files are looked up by the CA subject name hash > > value, which must hence be available. If more than one CA certificate > > with the same name hash value exist, the extension must be different > > (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the > > ordering of the extension number, regardless of other properties of > > the certificates. Use the c_rehash utility to create the necessary > > links.
> > Note the naming requirement for certificate files in $ENV{HTTPS_CA_DIR}. > If you want to put your 'myca.crt' file in $ENV{HTTPS_CA_DIR} and have > it be located that way, you need to create a symlink to it (in > #ENV{HTTPS_CA_DIR} using the c_rehash utility. > > I know this is three years too late, but hope it helps someone. > > Once again, thanks for the report. However, I do not think this is a bug > with > Crypt-SSLeay. > > -- Sinan > > > On Thu Dec 13 15:45:26 2007, JONASBN wrote:
> > Hello, > > > > I have been fighting a proxy for some days now in an attempt to get > > LWP::UserAgent to work with SSL over this proxy. > > > > Finally we are getting somewhere and data are pouring through, but I am > > experiencing a configuration problem with Crypt::SSLeay. > > > > We are using a self-signed certificate since we are running SSL
> internally.
> > > > So I got a certificate from the back-end, when I define this in the > > environment variable: HTTPS_CA_FILE and put it in my certs/ directory > > nothing works. If I put it together with my prototype script in that > > local directory it works. > > > > If I define HTTPS_CA_DIR and points this to 'certs' or even 'certs/' or > > '/home/jonasbn/certs/' nothing works. > > > > If I define HTTPS_CA_FILE to the full directory string > > '/home/jonasbn/certs/myca.crt' it works. > > > > It seems as if the HTTPS_CA_DIR environment variable is not respected or > > put to proper use. I attempted to debug this, but had no luck nailing > > the exact place where it goes bad. > > > > I am willing to answers questions on the above set up and run more
tests. Show quoted text
> > > > Thank you, > > > > jonasbn
>


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.