J
Jamie
I'm using Crupt::SSLeay (the LWP interface)
Wondering how one might (easily) confirm the key on the other side
was from a known CA.
My prototype in question:
# MOZILLA.pem has both the key and the cert, but I could just as easily split them.
$ENV{HTTPS_CERT_FILE} = 'cert/MOZILLA.pem';
$ENV{HTTPS_KEY_FILE} = 'cert/MOZILLA.pem';
$ENV{HTTPS_CA_FILE} = 'cert/cacert.crt';
my $res = $ua->get($url);
#
# Will this ALWAYS be set if the server key is signed by a CA from some other
# source than I have in cacert.crt ?
#
my $wrn = $res->header('client-ssl-warning'); # Can I rely on this being set if it's
die "SSL: $wrn" if($wrn); # not signed proper?
# I noticed I can get the issuer this way:
my $ca_issue = $res->header('client-ssl-cert-issuer');
# I get a bunch of "/O=Whatever/F=Another/Etc=Whatnot/CN=remote.cn.com"
What I want to be absolutely certain of is that the server cert. is indeed signed
by the CA in the file: cert/cacert.crt
I could probably get a the ID from $ca_issue, but.. then I'd have to maintain two
sets of data, I'd really rather just use cacert.crt
What's the secure, right way to verify the remote host is who it says it is, assuming
the CA in cacert.crt is known?
Thanks!
Jamie
Wondering how one might (easily) confirm the key on the other side
was from a known CA.
My prototype in question:
# MOZILLA.pem has both the key and the cert, but I could just as easily split them.
$ENV{HTTPS_CERT_FILE} = 'cert/MOZILLA.pem';
$ENV{HTTPS_KEY_FILE} = 'cert/MOZILLA.pem';
$ENV{HTTPS_CA_FILE} = 'cert/cacert.crt';
my $res = $ua->get($url);
#
# Will this ALWAYS be set if the server key is signed by a CA from some other
# source than I have in cacert.crt ?
#
my $wrn = $res->header('client-ssl-warning'); # Can I rely on this being set if it's
die "SSL: $wrn" if($wrn); # not signed proper?
# I noticed I can get the issuer this way:
my $ca_issue = $res->header('client-ssl-cert-issuer');
# I get a bunch of "/O=Whatever/F=Another/Etc=Whatnot/CN=remote.cn.com"
What I want to be absolutely certain of is that the server cert. is indeed signed
by the CA in the file: cert/cacert.crt
I could probably get a the ID from $ca_issue, but.. then I'd have to maintain two
sets of data, I'd really rather just use cacert.crt
What's the secure, right way to verify the remote host is who it says it is, assuming
the CA in cacert.crt is known?
Thanks!
Jamie