Crypt::SSLeay, accessing server keys and such?

Crypt::SSLeay, accessing server keys and such?

am 05.03.2007 21:05:07 von nospam

Hello,

Posting this from the newsgroup, hope it works...

I've been trying to access the server keys from an SSL connection using
Crypt::SSLeay and LWP. I really need to use LWP as the rest of the program
is sort of built around it.

Here is what I want to do:

Fetch/Post files to a remote SSL web server and be absolutely certain
I'm speaking with the correct person.

To verify the remote cert has been signed with one of my CA's, I'm doing
this:

my $wrn = $res->header('client-ssl-warning'); # Is this a guarantee message
die "SSL:[WARN]: $wrn" if($wrn) # if they weren't signed?


Second, I'd like to have a list of known peers and verify that their key
is actually one of the people I trust:

In Lilly Tomlin parlance, "Do I have the party to whom I am speaking?

Should I just do this:

$dn = $res->header('client-ssl-cert-subject');

And compare $dn to a list of known DN's? Is this secure?

Here is what $dn looks like:

/C=US/ST=StateName/L=CityName/O=Development Server/OU=Development/CN=proto.example.com

Will the /C=/ST=/ stuff always be in the above format, in the exact same order so
I can just compare them against a list?

Seems like there is a better way, is there?

Would just extracting the CN portion and comparing it with the remote hostname work?

The reason I'm paranoid about this is, I'll be fetching data and commands from
a remote host that will be executed on the local machine. I will be signing other
keys with the same CA, and.. I want to make sure one of those keys isn't some how
used to attack the machine.

Thanks!

Jamie
--
http://www.geniegate.com Custom web programming
Perl * Java * UNIX User Management Solutions

Re: Crypt::SSLeay, accessing server keys and such?

am 06.03.2007 03:09:42 von scratchcomputing

# from Jamie
# on Monday 05 March 2007 12:05 pm:

>I've been trying to access the server keys from an SSL connection
> using Crypt::SSLeay and LWP. I really need to use LWP as the rest of
> the program is sort of built around it.

It's my understanding that to do strict key verification and such,
you'll need to write a package ala LWP::Protocol::https and then set it
as the implementor

LWP::Protocol::implementor('https', 'foo::bar');

That's just from my reading of the code/docs. I haven't played with it
yet, only determined that it appears to be the official mechanism.

--Eric
--
"I've often gotten the feeling that the only people who have learned
from computer assisted instruction are the authors."
--Ben Schneiderman
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------