Client-Authentication using Crypt::SSLeay

Wed, 14 Jan 2009 04:27:51 -0800 

I am trying to open an SSL connection with Client Authentication
using Crypt::SSLeay.

What works fine is specifying environment variables
HTTPS_CERT_FILE and HTTPS_KEY_FILE. Unfortunately
the keyfile has to be unencrypted (there seems to
be no no password mechanism for HTTPS_KEY_FILE).

When I try to use HTTPS_PKCS12_FILE and
HTTPS_PKCS12_PASSWORD, Crypt::SSLeay seems to be unable
to open the PKCS12 file. On calling use_pkcs12_file
it returns an error "No such file or directory" (though
strace reveals that the file exists and is opened).

This is what I do:
##########################################################
$ENV{HTTPS_PKCS12_FILE} = '/home/gellert/test-cert.p12';
$ENV{HTTPS_PKCS12_PASSWORD} = 'test';
$ENV{HTTPS_VERSION} = 3;
$ENV{HTTPS_DEBUG} = 1;

require Crypt::SSLeay;
sub _default_context {
  require Crypt::SSLeay::MainContext;
  Crypt::SSLeay::MainContext::main_ctx(@_);
  }

my $ctx = _default_context(23);
$file=$ENV{HTTPS_PKCS12_FILE};
$ctx->use_pkcs12_file($file ,$pass) || die("failed to load $file: $!");
#################################################################

This is the output of the script:
#################################################################
./test.pl
failed to load /home/gellert/test-cert.p12: No such file or
directory at ./test.pl line 27.
#################################################################

And this is what strace says...
#################################################################
open("/etc/ssl/cert.pem", O_RDONLY)     = -1 ENOENT (No such file or
directory)
open("/home/gellert/test-cert.p12", O_RDONLY) = 3
[...]
read(3,
"0\202\n\351\2\1\0030\202\n\257\6\t*\206H\206\367\r\1\7\1\240\202\n\240\4\202\n\2340\202"...,
4096) = 2797
close(3)                                = 0
munmap(0x7f448c5fd000, 4096)            = 0
write(2, "failed to load /home/gellert/tes"..., 149failed to load
/home/gellert/test-cert.p12: No such file or directory at ./test.pl line 27.
#################################################################

The PKCS12 file was generated using OpenSSL, so this should
work...

By the way: Funny that use_pkcs12_file() still tries to open
/etc/ssl/cert.pem, even if a certificate file is specified...

Any idea? Or can I work around this using PEM-key and certificate
(but the key has to be encrypted)...

Cheers, Olaf

-- 
Olaf Gellert                          email  gell...@dkrz.de
Deutsches Klimarechenzentrum GmbH     phone  +49 (0)40 41173 214
Bundesstrasse 55                      fax    +49 (0)40 41173 270
D-20146 Hamburg, Germany              www    http://www.dkrz.de
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to