Advertisement

11.24.2007 at 12:12PM PST, ID: 22980380
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
7.4

Trouble using client certificates with Crypt-SSL 0.53 and ActiveState Perl build 811

Zones: Perl Programming Language, Secure Socket Layer (SSL) & HTTPS
Tags: perl, lwp, ssl, certificate
Hi all,

I'm trying to get Crypt-SSL to work with client certificates without much success. I am using Crypt-SSL 0.53 fetched from http://theoryx5.uwinnipeg.ca/ppms/Crypt-SSLeay.ppd and can use it just fine with LWP to fetch sites that don't use client certificates. When I use a client certificate, I get an error of "OPENSSL_Uplink(0284F020,06): no OPENSSL_Applink"  on line 414 in SSL.pm:

414:  $ctx->use_pkcs12_file($file ,$ENV{'HTTPS_PKCS12_PASSWORD'}) || die("failed to load $file: $!");

The certificate file exists where expected in c:\certs and also works fine in a browser. I exported the certificate from Internet Explorer in PKCS12 format.

Other pertinent info would include that I am using the ssleay32.dll and libeay32.dll from UWinnipeg (version 0.9.8.1) and updating to later ones (0.9.8.5 borrowed from Apache's SSL files) doesn't make any difference - same error.
 
Checking OpenSSL, the following link (http://www.openssl.org/support/faq.html#PROG2) seems to indicate this error means applink.c needs to be linked in to avoid the error. So, I ventured down the road of fetching Crypt-SSL 0.57 from CPAN, Visual C++ 2008 express from Microsoft (so I could get nmake) and tried building my own Crypt-SSL. This was a disaster as I could run Perl Makefile.pl but nmake choked with 50 warnings and errors and finally died with fatal error U1077 and return code '0x460'. Trying to resolve these errors is way beyond my C skills and time! Comments on the web seem to indicate very few hearty souls can build their own Crypt-SSL on Windows so I guess I knew it was a long shot to start with.

Attacking this from a different angle, I converted my PKCS12 certificate into separate PEM format files for the certificate and private keys and used these in place of the PKCS12 pfx certificate (see the commented lines in the code). I did this via OpenSSL commands:

Extract user key:
openssl pkcs12 -nocerts -in c:\certs\mycert.pfx -out c:\certs\userkey.pem

Extract User certificate:
openssl pkcs12 -clcerts -nokeys -i  c:\certs\mycert.pfx -out c:\certs\usercert.pem

Strip password from user key:
openssl rsa -in c:\certs\userkey.pem -out c:\certs\userkey_nopw.pem

But when I run the script, I get the following output:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:failed in SSLv2 read server hello A
500 SSL negotiation failed:
Press any key to continue . . .

So, I commented out the  '$ENV{HTTPS_VERSION} = 3' line to see if that would help and get the following:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:failed in SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:failed in SSLv2 read server hello A
500 SSL negotiation failed:
Press any key to continue . . .

So, hopefully I haven't overloaded this question with too much information but I feel I have banged on this from several different angles and hopefully that will help figure out the best way to go from here.

Thanks in advance!
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:

#!/usr/bin/perl
use strict;
use LWP;
use LWP::UserAgent;
 
my $URI = 'https://client-website.com';
my $user = 'myusername';
my $pass = 'mypassword';
 
use LWP::UserAgent;
# CA Cert file downloaded from http://eca.orc.com/ecaroot.crt
#$ENV{HTTPS_CA_FILE}= 'c:/ca_certs/ecaroot.crt';
#$ENV{HTTPS_CA_DIR} = 'c:/ca_certs';
 
#$ENV{HTTPS_CERT_FILE} = "c:/certs/usercert.pem";
#$ENV{HTTPS_KEY_FILE}  = "c:/certs/userkey_nopw.pem";
 
$ENV{HTTPS_PKCS12_FILE}     = 'c:/certs/pkcs12cert.pfx';
$ENV{HTTPS_PKCS12_PASSWORD} = 'cert_password';
#$ENV{HTTPS_VERSION} = 3;
 
# Print SSL Debug stuff (omit this line if not debugging)
$ENV{HTTPS_DEBUG} = 1;
 
# define user agent
my $ua = LWP::UserAgent->new();
$ua->agent("Test/Perl/WebChecker_script");
 
# make request
my $request = HTTP::Request->new(GET => $URI);
 
# authenticate
$request->authorization_basic($user, $pass);
 
# except response
my $response = $ua->request($request);
 
# get content of response
my $content = $response->content();
 
# do whatever you need to do with the content here
print $content;
 
exit;
Start your free trial to view this solution
Question Stats
Zone: Programming
Question Asked By: diegoslice
Solution Provided By: diegoslice
Participating Experts: 2
Solution Grade: B
Views: 53
Translate:
Loading Advertisement...
11.26.2007 at 02:46PM PST, ID: 20353940

Rank: Wizard

teraplane:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
11.26.2007 at 06:04PM PST, ID: 20354843
diegoslice:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
12.02.2007 at 03:17AM PST, ID: 20390809
diegoslice:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
12.04.2007 at 11:20AM PST, ID: 20405493
Vee_Mod:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
20080236-EE-VQP-29 / EE_QW_2_20070628