Loading ...
Sorry, an error occurred while loading the content.

Failing to connect with webservice when using SSL with ClientAuth

Expand Messages
  • noorarshad
    Hi, I m new to SOAPLite and am struggling to solve this problem; hopefully, someone more knowledgeable can help me get past this. ... #!perl -w use SOAP::Lite
    Message 1 of 2 , Jun 5, 2012
    • 0 Attachment
      Hi,

      I'm new to SOAPLite and am struggling to solve this problem; hopefully, someone more knowledgeable can help me get past this.

      Using this small program, I'm trying to establish an SSL Client-Authenticated session to request a web-service:

      --------------------
      #!perl -w

      use SOAP::Lite +trace;

      $ENV{HTTPS_CA_FILE} = "certs/my-ca.pem";
      $ENV{HTTPS_CERT_FILE} = "certs/client-cert.pem";
      $ENV{HTTPS_KEY_FILE} = "certs/client-pvkey.pem";
      $ENV{HTTPS_CERT_PASS} = "ejbca";
      $ENV{HTTPS_DEBUG} = 1;

      print SOAP::Lite
      -> uri('http://ws.protocol.core.ejbca.org')
      -> proxy('https://atlas.mysite.com:8443/ejbca/ejbcaws/ejbcaws')
      -> getAvailableCAs()
      -> result;
      --------------------

      It consistently fails. The error in the trace is summarized below:

      ***************
      Client-Warning: Internal response

      Can't connect to atlas.mysite.com:8443

      LWP::Protocol::https::Socket: SSL connect attempt failed because of handshake problems error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate at /home/anoor/perl/lib/perl5/LWP/Protocol/http.pm line 51.
      ***************

      More data-points:

      - I'm using all current versions of the required modules;

      - There is no proxy involved;

      - openssl s_client works perfectly with the certs/keys/CA files
      shown in the perl program; I am able to connect and request a
      page from the site;

      - The net-ssl-test script from the Crypt-SSLeay-0.58 module is also
      able to connect with the above-mentioned certs/key;

      - The web-service is definitely working because I am able to verify
      that the service returns a response when tested with SOAPUI;

      - The client, server and CA certificates are all using the
      RSAwithSHA256 algorithm for the CA's signature (not sure if this
      is relevant; from what I understand SOAPLite ultimately relies on
      the OpenSSL library for the crypto work, so it ought to work given
      that s_client does.

      What am I missing here? Thanks, in advance, for your suggestions.

      Arshad
    • noorarshad
      Thanks to Mark Allen on the LWP mailing list, the answer can be found here: http://www.mail-archive.com/libwww@perl.org/msg06964.html (In case that link
      Message 2 of 2 , Jun 7, 2012
      • 0 Attachment
        Thanks to Mark Allen on the LWP mailing list, the answer can be found here:

        http://www.mail-archive.com/libwww@.../msg06964.html

        (In case that link doesn't work for any reason, the brief answer is: I had to include "use Net::SSL;" in my Perl program to make it work. Apparently, the newer LWP module uses the IO::Socket::SSL module instead of the older Net::SSL, which ignores the environment variables in the program pointing to my digital certificates. By forcing the program to use Net::SSL, it picks up the variables and works fine).

        Arshad

        --- In soaplite@yahoogroups.com, "noorarshad" <arshad@...> wrote:
        >
        > Hi,
        >
        > I'm new to SOAPLite and am struggling to solve this problem; hopefully, someone more knowledgeable can help me get past this.
        >
        > Using this small program, I'm trying to establish an SSL Client-Authenticated session to request a web-service:
        >
        > --------------------
        > #!perl -w
        >
        > use SOAP::Lite +trace;
        >
        > $ENV{HTTPS_CA_FILE} = "certs/my-ca.pem";
        > $ENV{HTTPS_CERT_FILE} = "certs/client-cert.pem";
        > $ENV{HTTPS_KEY_FILE} = "certs/client-pvkey.pem";
        > $ENV{HTTPS_CERT_PASS} = "ejbca";
        > $ENV{HTTPS_DEBUG} = 1;
        >
        > print SOAP::Lite
        > -> uri('http://ws.protocol.core.ejbca.org')
        > -> proxy('https://atlas.mysite.com:8443/ejbca/ejbcaws/ejbcaws')
        > -> getAvailableCAs()
        > -> result;
        > --------------------
        >
        > It consistently fails. The error in the trace is summarized below:
        >
        > ***************
        > Client-Warning: Internal response
        >
        > Can't connect to atlas.mysite.com:8443
        >
        > LWP::Protocol::https::Socket: SSL connect attempt failed because of handshake problems error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate at /home/anoor/perl/lib/perl5/LWP/Protocol/http.pm line 51.
        > ***************
        >
        > More data-points:
        >
        > - I'm using all current versions of the required modules;
        >
        > - There is no proxy involved;
        >
        > - openssl s_client works perfectly with the certs/keys/CA files
        > shown in the perl program; I am able to connect and request a
        > page from the site;
        >
        > - The net-ssl-test script from the Crypt-SSLeay-0.58 module is also
        > able to connect with the above-mentioned certs/key;
        >
        > - The web-service is definitely working because I am able to verify
        > that the service returns a response when tested with SOAPUI;
        >
        > - The client, server and CA certificates are all using the
        > RSAwithSHA256 algorithm for the CA's signature (not sure if this
        > is relevant; from what I understand SOAPLite ultimately relies on
        > the OpenSSL library for the crypto work, so it ought to work given
        > that s_client does.
        >
        > What am I missing here? Thanks, in advance, for your suggestions.
        >
        > Arshad
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.