Asking Crypt::SSLeay to Verify Server's Certificate

This section provides a tutorial example on how to ask Crypt::SSLeay to verify HTTPS server's certificate using the HTTPS_CA_FILE environment variable.

From the previous section, we learned that Crypt::SSLeay does not perform any verification on the server's certificate by default. The question is then how to ask Crypt::SSLeay to verify server's certificate?

Reading the Crypt::SSLeay documentation again, I see these environment variable settings:

  # CA cert peer verification
  $ENV{HTTPS_CA_FILE}   = 'certs/ca-bundle.crt';
  $ENV{HTTPS_CA_DIR}    = 'certs/';

To play with these settings, I need to:

1. Get a copy of the root CA certificate that for certificate. This can be done by using Firefox 3 to visit Read the Firefox 3 chapter of this book for more details.

2. Modify the Crypt::SSLeay test Perl script:

#- Copyright (c) 2011,, All Rights Reserved.
use LWP::UserAgent;
$ENV{HTTPS_CA_FILE} = "CA_Bundle.crt";

my ($url) = @ARGV;
my $client = LWP::UserAgent->new;
my $request = HTTP::Request->new('GET', $url);
my $response = $client->request($request);
$response->is_success or
    die "Failed to GET '$url': ", $response->status_line;

print "Request:\n";
print $request->as_string;
print "Response:\n";
print $response->as_string;

3. Run the modified test script:


SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL_connect:SSLv3 read finished A

User-Agent: libwww-perl/5.836

HTTP/1.1 200 OK
Cache-Control: private
Connection: close
Pragma: no-cache
Content-Type: text/html
Expires: 0
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=DigiCert Inc/
   /CN=DigiCert High Assurance CA-3
Client-SSL-Cert-Subject: /C=US/ST=CA/L=Sunnyvale/O=Yahoo! Inc.
Client-SSL-Cipher: AES256-SHA
Client-Transfer-Encoding: chunked
Link: <>; ...
"; type="text/css"
P3P: policyref="", CP="CAO DSP ...
Title: Sign in to Yahoo!
X-Frame-Options: DENY

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3....
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Sign in to Yahoo!</title>

Cool, "Client-SSL-Warning: Peer certificate not verified" message is gone now!

Last update: 2011.

