Loading ...
Sorry, an error occurred while loading the content.

"Peer certificate not verified" errors

Expand Messages
  • Karl Boyken
    We use SOAP::Lite to connect to a service on campus. The service is moving from Thawte to InCommon for certificates; InCommon uses Comodo. The new server
    Message 1 of 5 , Jul 11, 2011
    • 0 Attachment
      We use SOAP::Lite to connect to a service on campus.  The service is moving from Thawte to InCommon for certificates; InCommon uses Comodo.  The new server certificate is 2048-bit.  Our code works with the old certificate, but not the new one.  We're using SOAPLite 0.710.08 with Perl 5.8.8 on RedHat Linux Enterprise Client 5.6.  We've also tried SOAPLite 0.712 with Perl 5.14.0 on Red Hat Enterprise Linux Server 6.1 and we get the same error.  Others on campus have also had errors with Perl 5.8.9 on RedHat 5.4 with SOAPLite v 0.710.10.  .NET and Python implementations work.


      "openssl s_client -showcerts" shows a 3-certificate chain on the server:

      CN=dnawebtesting.iowa.uiowa.edu
      CN=COMODO High-Assurance Secure Server CA
      CN=AddTrust External CA Root


      Here is the SSL output from a query:

      Client-SSL-Cert-Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
      Client-SSL-Cert-Subject: /C=US/postalCode=52242/ST=IA/L=Iowa City/streetAddress=16 Lindquist Center/streetAddress=The University of Iowa/streetAddress=ITS Enterprise Infrastructure Windows Services Group/O=University of Iowa/OU=ITS-EI-WSG/OU=PlatinumSSL/CN=dnawebtesting.iowa.uiowa.edu
      Client-SSL-Cipher: RC4-SHA
      Client-SSL-Warning: Peer certificate not verified


      Thisis the output received:

      <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server did not recognize the value of HTTP Header SOAPAction: https://dnawebtesting.iowa.uiowa.edu/DNAData/MetaPeople/GetData.</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope>


      When I turn on debugging for Crypt::SSLeay (via the HTTPS_DEBUG environtment variable), I get this:

      SSL_connect:before/connect initialization
      SSL_connect:SSLv2/v3 write client hello A
      SSL_connect:SSLv3 read server hello A
      SSL_connect:SSLv3 read server certificate A
      SSL_connect:SSLv3 read server done A
      SSL_connect:SSLv3 write client key exchange A
      SSL_connect:SSLv3 write change cipher spec A
      SSL_connect:SSLv3 write finished A
      SSL_connect:SSLv3 flush data
      SSL_connect:SSLv3 read finished A


      This is the same Crypt::SSLeay output I get when I turn on debugging against the production server.

      Any help would be much appreciated.  I'm under some pressure to abandon Perl and use Python.  Thanks!

      Karl Boyken

      -- 
      Karl Boyken, system administrator karl-boyken@...
      303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/
      The U. of Iowa, Iowa City, IA  52242   319-335-2730 (voice) 319-335-3668 (fax)
    • rahed
      ... Be sure to supply a correct SOAPAction header (set with on_action method as uri and method). -- Radek
      Message 2 of 5 , Jul 11, 2011
      • 0 Attachment
        Karl Boyken <karl.boyken@...> writes:

        > Thisis the output received:
        >
        > <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="
        > http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="
        > http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
        > http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server
        > did not recognize the value of HTTP Header SOAPAction:
        > https://dnawebtesting.iowa.uiowa.edu/DNAData/MetaPeople/GetData.</faultstring><detail
        > /></soap:Fault></soap:Body></soap:Envelope>

        Be sure to supply a correct SOAPAction header (set with on_action method
        as uri and method).

        --
        Radek
      • Karl Boyken
        Thanks, but, aside from the fqdn of the web server, the header is identical to the one that works on the production server. Karl
        Message 3 of 5 , Jul 11, 2011
        • 0 Attachment
          Thanks, but, aside from the fqdn of the web server, the header is
          identical to the one that works on the production server.

          Karl

          On Mon, Jul 11, 2011 at 2:59 PM, rahed <raherh@...> wrote:
          > Karl Boyken <karl.boyken@...> writes:
          >
          >> Thisis the output received:
          >>
          >> <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="
          >> http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="
          >> http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="
          >> http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>Server
          >> did not recognize the value of HTTP Header SOAPAction:
          >> https://dnawebtesting.iowa.uiowa.edu/DNAData/MetaPeople/GetData.</faultstring><detail
          >> /></soap:Fault></soap:Body></soap:Envelope>
          >
          > Be sure to supply a correct SOAPAction header (set with on_action method
          > as uri and method).
          >
          > --
          > Radek
          >
        • Karl Boyken
          For completeness, I ve attached two files. soap_prod.txt is the SOAP::Lite trace and Crypt::SSLeay debug output for the production server, which works;
          Message 4 of 5 , Jul 12, 2011
          • 1 Attachment
          • 9 KB
          For completeness, I've attached two files. soap_prod.txt is the
          SOAP::Lite trace and Crypt::SSLeay debug output for the production
          server, which works; soap_test.txt is the output for the test server
          that does not work. I've starred out the username and password.

          Karl Boyken

          --
          Karl Boyken, system administrator karl-boyken@...
          303A MLH, Dept. of Comp. Sci. http://www.cs.uiowa.edu/~boyken/
          The U. of Iowa, Iowa City, IA  52242   319-335-2730 (voice) 319-335-3668 (fax)
        • rahed
          ... I can t see any attachements with my mail client. -- Radek
          Message 5 of 5 , Jul 13, 2011
          • 0 Attachment
            Karl Boyken <karl.boyken@...> writes:

            > For completeness, I've attached two files. soap_prod.txt is the
            > SOAP::Lite trace and Crypt::SSLeay debug output for the production
            > server, which works; soap_test.txt is the output for the test server
            > that does not work. I've starred out the username and password.

            I can't see any attachements with my mail client.

            --
            Radek
          Your message has been successfully submitted and would be delivered to recipients shortly.