[Crypt::SSLeay] CA certificate trust verification with LWP HTTPS communication

Hi!

I've been successfully using LWP with Crypt::SSLeay for HTTPS
communication. Both libraries are great, you're doing the world a
great service!

My issue is that anonymous SSL is not secure against a man in the
middle attack, and matching the peer's CA cert subject to it's
hostname in an LWP-get('If-SSL-Cert-Subject' =3D> 'host') request is
also not enough.

Due to logistical reasons I can't easily distribute individual client
SSL certs. So the best solution is to have the client trust only
communication with HTTPS peers that present certs issued from an
identified, trusted CA. Consequently I've been looking at
Crypt::SSLeay's certificate support.

Oddly enough, yesterday I tried specifying only the CA cert, which I
exported from my web server. (unfortunately it's IIS for now) The LWP
test code I wrote failed with a status message claiming the peer's
cert wasn't trusted. However this morning is works fine? Infact I can
specify the same CA cert file and it connects successfully to any site
I point it to. Strange.

Anyways, the point of this e-mail is to ask if Crypt::SSLeay's
certificate support can be used with the CA cert directory or file
only specified, and what the cert container format is expected to be?
Or if I need to set or modify anything else to enforce only trusted CA
issued SSL server certs? The only clues I can see in the README is
that the CA file can be a bundle (do you mean a PKCS#7 container?):

# CA CERT PEER VERIFICATION
$ENV{HTTPS_CA_FILE} =3D 'certs/ca-bundle.crt';
$ENV{HTTPS_CA_DIR} =3D 'certs/';

;and that CA file support is possibly an addition to client cert and
key file specification and might not be usable alone:

"Additionally, if you would like to tell the client where the CA file
is, you may set these."

Any help would be appreciated. If I come up with anything helpful,
I'll be sure to pass it along.

Thank you.

- Chris McKenzie