[Crypt::SSLeay] : pkcs12 cert file & connexion refusal

[Crypt::SSLeay] : pkcs12 cert file & connexion refusal

am 08.09.2004 16:18:34 von jean-luc.pinardon

Hi,

We are currently developping an automate connexion and request perl
script towards a default tracking server (using https) at a supplier site.
So, we have installed a perl distrib (This is perl, v5.8.5 built for
sun4-solaris),
along with usefull additional perl modules, among which Crypt::SSLeay.
The script is using LWP::UserAgent to send the requests.

The script written works well for a simple http or for a https connexion
towards a site not using a certificate (e.g. https://www.linuxfr.org).
So, I think there's no problem with the proxy.
Now, the site where we want to connect to, needs a certificate.
The supplier gave us a web address where I have created a certificate,
trusted by Verisign,
and it is OK for a "manual" connexion via a browser (Firefox).

Using the browser I have exported my certificate into a .pkcs12 file.
Now, when trying to connect to the supplier tracking server, I always
get an error from the server :
Here are some traces obtained with LWP::Debug:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server certificate request A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client certificate A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write certificate verify A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:bad certificate
SSL_connect:failed in SSLv3 read finished A

Note that there's no negotiation to fall down to SSLV2.

And here is the dump of the header object :
$VAR1 = bless( {
'client-warning' => 'Internal response',
'client-date' => 'Wed, 08 Sep 2004 13:27:22 GMT',
'content-type' => 'text/plain'
}, 'HTTP::Headers' );


In the script code, the User Agent is intialized as :
my $ua = new LWP::UserAgent(
'agent' => 'Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7)
Gecko/20040615 Firefox/0.9'
);

I set three env variables for the proxy settings :
$ENV{HTTPS_PROXY}="$proxy_ip:$proxy_port";
$ENV{HTTPS_PROXY_USERNAME}="$me"; #My Proxy user Name
$ENV{HTTPS_PROXY_PASSWORD}="$S3kr3T"; # My Proxy Password

The SSL version is chosen by :
$ENV{HTTPS_VERSION} = 3;

I also set 2 env variables to give the certificate pkcs12 file path and
password (I have checked it is OK) :
$ENV{HTTPS_PKCS12_FILE} = "$pk_pathname";
$ENV{HTTPS_PKCS12_PASSWORD}="$pk_passwd";


Reading the module documentation, the line :

> Use of this type of certificate will take precedence over previous
> certificate settings described.

makes me think it is enough for the certificate to be correctly sent.


Now, as there is still an error (an it is the case on any machine and
platform we try, and whatever the browser with wich the pkcs12 file has
been generated),
I think I have probably missed something.
So, I am very interesting with any advice you could send too me.

Note that we run something like a "crash test" with a browser (on a test
machine) on which we delete all the Authorities.
Doing that, I cannot connect to the supplier site.
So I wonder if it could lack information about the certification
authorities in the script settings ?

Thanks for your help.


Best Regards,
J.L.P.

--
Jean-Luc Pinardon Alcatel ABS - MPD/TND
Software Configuration Management 32, avenue Kleber
mailto:jean-luc.pinardon@art.alcatel.fr 92707 Colombes Cedex
Phone : +33 1 55 66 77 54 France
Fax : +33 1 55 66 33 37