Trying to get SSL with client cert to work within POE environment

P

patrick.viet

Dear fellow perl users,

Here is a problem I've been trying to tackle since about 2007. I figured maybe someone on this group might know.

I'm trying to establish some SSL connection with self signed server and client certs between server and client, to establish encrypted authentication between different bits of software. These are daemons so I use the POE library.

I managed to do what I wanted in JavaScript with node.JS:

var sslcert = fs.readFileSync('mycert.pem');
var sslkey = fs.readFileSync('mykey.pem');
var sslca = fs.readFileSync('ca.pem');
var options = { cert: sslcert, key: sslkey, ca: sslca, ... other options .... };
options.agent = new https.Agent(options);
var req = https.request(options, function(res) {
s = req.socket;
if(!s.authorized) { my_callback('SSL API ERROR '+s.authorizationError); return; }
// the remote end was OK
....

No need to expand, just to give an idea of what I'm doing. I really want todo it with perl, node isn't mature enough yet in my experience and particularly with the libs I use, whereas perl mostly is.

Now I found how to do it with perl and cURL lib, but it's synchronous single thread, and I'd have to fork a separate interpreter to handle my connections. I tried with LWP just for kicks and kept getting some negotiations errors. At least cURL worked.

Anyway, I found this module: POE::Component::SSLify.
Within the options, I can set a client cert, and a client key

http://search.cpan.org/~apocal/POE-.../POE/Component/SSLify.pm#SSLify_ContextCreate

But nowhere can I choose to verify things against a specific certificate authority or check for the cert of the server I'm connecting to.

Any ideas of how I could do that or find where to do it? Been looking on and off since 2007...

I really don't want to have to resort to porting the app to node.js to get SSL, because honestly it's a nightmare to debug and the libs are still changing, not to mention well written perl is so much cleaner than these piles of async callbacks that node imposes.

Thanks so much all in advance for your great ideas.

Cheers
 
P

patrick.viet

POE::Filter::SSL appears to have explicit support for verifying client
certificates against a custom CA. If you'd rather stick with SSLify, it
looks to me like you want to create a custom SSL context (using the
Net::SSLeay CTX_* functions) which will allow you to set any options you

As long as it works and it stays within the unique perl process embedding POE (I'm going to handle quite a bit of simultaneous connections), I'm happywith it. I'll dig in that direction, I didn't know about the SSL filter, all I ever used up to now were the line and http filter.

Then I might hit some kind of difficulty with the select/poll based event manager, hopefully I can get epoll to work...

Thanks,

Cheers
 
P

patrick.viet

OK so I managed to get a few things working with the POE::Filter::SSL, but it's not usable as is. For example, it's not properly installable with CPAN(let alone available as a system package), it has a few bugs, and requiresvery recent versions of different packages to work. The good news is that I can look at the source code of this module to get it to work as custom context with SSLify.

Thanks for your help
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,968
Messages
2,570,149
Members
46,695
Latest member
StanleyDri

Latest Threads

Top