i connecting cas server. cas server certificate expired , due getting below error:
error ssl connect attempt failed error:14090086:ssl routines:ssl3_get_server_certificate:certificate verify failed unable connect https://<domain name>:443/ to avoid error few suggestion verify_hostname & verify_ssl "0". it's not solving issue. can help?
perl version: 5.22
lwp:6.0.16
to avoid error few suggestion verify_hostname & verify_ssl "0"
if follow these suggestions should ask why use https @ all. because ignoring certificate errors means man in middle attacks possible , protection tls should offer vanishes.
to connect server certificate cannot validated normal means have use different kind of verification instead of no verification @ all. support https in current versions of lwp realized using io::socket::ssl. module offers simple mechanism deal such problems comparing fingerprint of certificate against expected fingerprint.
first need current fingerprint of certificate. can done openssl commands or if sure there no man in middle attack access server:
use strict; use warnings; use io::socket::ssl 1.980; $dst = 'bad-cert.example.com'; $cl = io::socket::ssl->new( peeraddr => $dst, peerport => 443, # certificate cannot validated normal way, need # disable validation 1 time in hope there # no man in middle attack ssl_verify_mode => 0, ) or die "connect failed"; $fp = $cl->get_fingerprint; print "fingerprint: $fp\n"; this give fingerprint hash algorithm, i.e. sha256$55a5dfaaf.... fingerprint can used validate certificate in future calls:
use strict; use warnings; use io::socket::ssl 1.980; use lwp::useragent; $dst = ....; # above example $fp = ....; # above example $ua = lwp::useragent->new(ssl_opts => { ssl_fingerprint => $fp }); $resp = $ua->get("https://$dst"); print $resp->content; apart please not there reason certificates expire. after expiration time no more revocations tracked. means have know certificate not revoked, because no ca tell you.
Comments
Post a Comment