How to ensure I'm doing lwp with https correctly?

[PugetSoundSylvia]

Hello all,

I'm using LWP for programatic access to a website. I'm using https,
and have installed Crypt::SSLeay (hopefully correctly).

What I'd like to do is make sure that my https access is actually
correctly set up, and that I am accessing everything securely. Any
ideas on how I can double-check that everything is happening
correctly? Or is there something I can use to audit my connection?
If I didn't do the Crypt::SSLeay install correctly, would https access
just not work, or would it just default to http?

Thanks in advance for any pointers,
Sylvia

 

[comp.llang.perl.moderated]

I'm using LWP for programatic access to a website. I'm using https,
and have installed Crypt::SSLeay (hopefully correctly).

What I'd like to do is make sure that my https access is actually
correctly set up, and that I am accessing everything securely. Any
ideas on how I can double-check that everything is happening
correctly? Or is there something I can use to audit my connection?
If I didn't do the Crypt::SSLeay install correctly, would https access
just not work, or would it just default to http?

If Crypt::SSLeay installed successfully
and passed its test suite, you can be
reasonably assured that SSL transactions
occur. You can confirm actual details of the exchange by setting:

$ENV{HTTPS_DEBUG} = 1

before initiating the connection. See:
perldoc Crypt::SSLeay.

Also, if using Perl's LWP module, you
can add:

use LWP:ebug qw/+/

for other details of the exchange>
See perldoc LWP:ebug for less
verbose settings.

Here's an example with HTTPS_DEBUG and
LWP:ebug set:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A

LWP::UserAgent::new: ()
HTTP::Cookies::add_cookie_header: Checking ... for cookies

LWP::UserAgent::send_request: GET https://....
LWP::UserAgent::_need_proxy: Not proxied
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A

 

[PugetSoundSylvia]

If Crypt::SSLeay installed successfully
and passed its test suite, you can be
reasonably assured that SSL transactions
occur. You can confirm actual details of the exchange by setting:

    $ENV{HTTPS_DEBUG} = 1

before initiating the connection. See:
perldoc Crypt::SSLeay.

Also, if usingPerl'sLWPmodule, you
can add:

    useLWP:ebug qw/+/

for other details of the exchange>
See perldocLWP:ebug for less
verbose settings.

Here's an example with HTTPS_DEBUG andLWP:ebug set:

SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A

LWP::UserAgent::new: ()
HTTP::Cookies::add_cookie_header: Checking ... for cookies

LWP::UserAgent::send_request: GET https://....LWP::UserAgent::_need_proxy: Not proxied
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server key exchange A

Thanks Charles - your debug hints were very helpful. It looks like
the certificate isn't even checked when doing https UNLESS you have
the HTTPS_CA_DIR environment variable set. Then it checks (and in my
case it's failing with a bad certificate error as below)

LWP::UserAgent::new: ()
LWP::UserAgent::request: ()
LWP::UserAgent::send_request: GET https://xxxxxxxxxx.org/api/login.php?name=xxxxxx&pass=xxxxxx
LWP::UserAgent::_need_proxy: Not proxied
LWP:rotocol::http::request: ()
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello A
LWP::UserAgent::request: Simple response: Internal Server Error
Error: 500 SSL negotiation failed:

Now I'm trying to fill the the gaps in my understanding of
certificates, which are pretty gaping.

Thanks again for your help.

Sylvia

 

[volantecho]

hi all..

i face the same problem...
i tried debugging..still couldnt find out the reason why...
i received 2 kind of response when execute the script few times:

response #1 (which i think successfully bind)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A
<show the page content> # $res->content

response #2 (failure)
500 Connect failed: connect: Connection refused; Connection refused #
$res->content

i think it can bind to the remote ssl client, just very unstable or i
used the wrong method to access..
does it cause the problem if client wrote their own ssl certificate
without registering?

appreciate your help!