Problem mit LWP::UserAgent und SSL request unter Strawberry Perl (Fragen zu Perl-Modulen)

[thread]19601[/thread]

Problem mit LWP::UserAgent und SSL request unter Strawberry Perl

Tags: perl5 LWP SSL Ähnliche Threads

Leser: 16

Articles: hide open all | hide show old branches

+15 replies

Gast Bernhard

2015-04-03 14:56

Hallo zusammen,

habe vergangene Woche StrawBerry Perl auf meinem Windows PC installiert und angefangen, damit rumzuspielen.

Am Ende will ich ein kleines Progrämmchen bauen, dass mir hilft, über die Flickr API meinen Account dort effektiver zu nutzen.

Angefangen habe ich mit folgendem Script:

Code: (dl )

#!/usr/bin/perl
 
require LWP::UserAgent;

my $request_uri = '';
#my $ua = LWP::UserAgent->new;
my $ua = new LWP::UserAgent;
#$ua->protocols_allowed( [ 'http','https'] );
$ua->ssl_opts( verify_hostnames => 0 );
print "line 10 of script\n";
$ua->add_handler("request_send",  sub { shift->dump; return });
print "line 12 of script\n";
$ua->add_handler("response_done", sub { shift->dump; return });

#$ua->timeout(10);

$request_uri = 'https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7';

my $response = $ua->get($request_uri);

#print $response->status_line;
   
print $response->decoded_content;

Das generiert folgende Fehlermeldungen

Code: (dl )

GET https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2
c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e25
4995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7
User-Agent: libwww-perl/6.13

(no content)
500 Can't connect to api.flickr.com:443
Content-Type: text/plain
Client-Date: Fri, 03 Apr 2015 12:19:59 GMT
Client-Warning: Internal response

Can't connect to api.flickr.com:443\n
Bad file descriptor at C:/Strawberry/perl/vendor/lib/LWP/Protocol/http.pm line 47.\n
Can't connect to api.flickr.com:443

Bad file descriptor at C:/Strawberry/perl/vendor/lib/LWP/Protocol/http.pm line 47.

Wenn ich einfach eine http-url aufrufe funktioniert alles einwandfrei. Wenn ich die https-url im Browser aufrufe, funktioniert es auch.

Hat wer einen Tipp? Woran kann das liegen? Ich tippe ja auf ein Problem mit der Perl Installation?

Viele Grüße

Bernhard
Last edited: 2015-04-03 15:02:01 +0200 (CEST)

+2 replies
GwenDragon

2015-04-03 15:03

User since
2005-01-17
14607 Artikel
Admin1

LWP aktuell?
LWP::Protocol::https installiert?
die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten
- Gast Bernhard
  
  2015-04-03 15:25
  herzlichen Dank für die schnelle Antwort!
  
  2015-04-03T13:03:18 GwenDragon
  LWP aktuell?
  LWP::Protocol::https installiert?
  
  habe
  
  Code: (dl )
  
  1 2
  
  cpan install LWP cpan LWP::Protocol::https
  
  ausgeführt und beidesmal die Rückmeldung erhalten, es seien beide Module aktuell.
  
  LWP zeigt 6.13 und
  LWP::Protocol::https zeigt 6.06.
  
  Hänge ansosnten ohne Proxy im Netz über zwei Router bei mir zuhause
  Last edited: 2015-04-03 15:30:46 +0200 (CEST)
+3 replies

GwenDragon

2015-04-03 15:33

User since
2005-01-17
14607 Artikel
Admin1

Die Flickr-API wird aber über einen Yahoo-Server ausgeliefert, deswegen passt das Yahoo-Zertifikat nicht zur Domain api.flickr.com, deswegen verbindet LWP mit dem Fehler.

Schau mal, wenn du die Überprüfung bei SSL abschaltest (Methode ssl_opts()):

Code (perl): (dl )

use LWP::UserAgent; 
use IO::Socket::SSL;
use strict;
use warnings;

my $ua  = LWP::UserAgent->new (); 
$ua->ssl_opts(
    verify_mode   => SSL_VERIFY_PEER,
    verify_hostname => 0,                # Überprüfung des Zertifikats abschalten
);
my $req = HTTP::Request->new(
    GET => 'https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7'
);
my $res = $ua->request($req);
print $res->headers_as_string;

eribt:

Code: (dl )

Cache-Control: private
Connection: close
Date: Fri, 03 Apr 2015 13:31:58 GMT
Via: http/1.1 fts125.flickr.bf1.yahoo.com (ApacheTrafficServer/4.0.2 [cMsSf ]), http/1.1 r12.ycpi.dea.yahoo.net (ApacheTrafficServer [cMsSf ])
Age: 0
Server: ATS
Vary: Accept-Encoding
Content-Length: 120
Content-Type: text/xml; charset=utf-8
Client-Date: Fri, 03 Apr 2015 13:31:55 GMT
Client-Peer: 188.125.93.39:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
Client-SSL-Cert-Subject: /C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com
Client-SSL-Cipher: ECDHE-RSA-AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
Client-SSL-Warning: Peer certificate not verified
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Strict-Transport-Security: max-age=259200
X-Robots-Tag: noindex
X-Served-By: www56.flickr.bf1.yahoo.com

Last edited: 2015-04-03 15:35:15 +0200 (CEST)

die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

+2 replies
BF68

2015-04-03 15:42
User since
2015-04-03
12 Artikel
BenutzerIn
2015-04-03T13:33:56 GwenDragon
Die Flickr-API wird aber über einen Yahoo-Server ausgeliefert, deswegen passt das Yahoo-Zertifikat nicht zur Domain api.flickr.com, deswegen verbindet LWP mit dem Fehler.
...

Hi vielen Dnka, das hilft, ich hatte zwar schon eine Zeile
Code: (dl )

$ua->ssl_opts( verify_hostnames => 0,);
Aber das scheint es alleine nicht zu bringen. Magst Du mir noch kurz den Unterschied zwischen Deiner und meiner Version erklären?
Last edited: 2015-04-03 15:52:40 +0200 (CEST)
- GwenDragon
  
  2015-04-03 15:55
  User since
  2005-01-17
  14607 Artikel
  Admin1
  Die Option heißt aber korrekterweise verify_hostname. Steht auch so in LWP::Protocol::https
  Das reicht.
  
  Code (perl): (dl )
  
  1 2 3
  
  $ua->ssl_opts( verify_hostname => 0, # Überprüfung des Zertifikats abschalten );
  
  Solange es keine yahoo.com-URL für die API gibt, musst du die SSL-Überprüfung abschalten.
  
  Und dass das Zertifikat (mit openssl getstet) nur folgende Zeitstempel hat:
  notBefore=Mar 16 00:00:00 2015 GMT
  notAfter=Apr 24 23:59:59 2015 GMT
  deutet auf irgendeiene Fehlkonfig oder Umstruktuerierung hin.
  
  Yahoo baut halt schönen Mist mit ihren Servern.
  Last edited: 2015-04-03 16:19:55 +0200 (CEST)
  die Drachin Gwen
  
  Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

GwenDragon

2015-04-03 15:58

User since
2005-01-17
14607 Artikel
Admin1

Doppelpost: https://www.flickr.com/groups/api/discuss/72157651...
die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten
GwenDragon

2015-04-03 16:32

User since
2005-01-17
14607 Artikel
Admin1

Verschoben von Netzwerkprogrammierung und Netzwerke mit Perl nach Fragen zu Perl-Modulen
die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

GwenDragon

2015-04-03 17:24

User since
2005-01-17
14607 Artikel
Admin1

Seltsam, das Zertifikat hat mehrer alternative Domains über DNS, darunter auch api.flickr.com.

Code: (dl )

C:\>openssl s_client -connect api.flickr.com:443 | openssl x509 -text
Loading 'screen' into random state -WARNING: can't open config file: z:/strawberry_libs/build/_wrk_2013Q1_.out/ssl/openssl.cnf
 done
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign C
lass 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            7e:26:b6:f9:10:8e:88:96:6c:d7:cf:6e:bc:12:59:ba
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class
3 Secure Server CA - G3
        Validity
            Not Before: Mar 16 00:00:00 2015 GMT
            Not After : Apr 24 23:59:59 2015 GMT
        Subject: C=US, ST=California, L=Sunnyvale, O=Yahoo Inc., CN=www.yahoo.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a6:91:fe:ef:38:57:b8:58:c7:9f:32:47:63:05:
                    35:01:26:0c:06:8b:7a:35:88:49:36:2b:6f:59:78:
                    74:72:37:1c:72:af:37:02:e6:3e:52:4c:2b:15:b2:
                    f3:cf:85:b5:6b:c4:b4:eb:37:bb:01:a4:32:00:a6:
                    b9:c9:b4:3b:48:40:c8:4d:29:da:5c:a4:6a:94:3b:
                    f2:fb:de:90:24:e3:15:05:dd:0f:4d:02:03:25:77:
                    7b:35:9b:42:84:36:ff:98:63:77:e7:1c:34:d0:6a:
                    41:07:88:da:01:f5:b2:ae:41:de:d3:59:eb:3c:da:
                    cd:78:a1:48:29:2c:cf:a2:97:7b:fd:68:6a:ab:19:
                    5e:84:88:fb:a3:10:27:ac:c7:ad:43:58:21:bd:4b:
                    75:f0:bb:47:e3:66:1a:5e:8b:a1:02:69:4a:a8:65:
                    8f:43:3b:29:d8:37:06:64:70:0c:71:4a:0d:fa:d6:
                    07:a8:73:14:12:6f:71:db:87:c9:a1:c9:2c:6d:a2:
                    f9:f7:97:69:61:58:3d:73:84:00:2f:e8:9b:d4:c4:
                    31:96:de:30:1f:58:71:3c:87:c3:48:44:04:39:13:
                    9e:7b:09:50:03:df:19:6c:d8:b9:01:b0:d8:8b:d4:
                    0f:ad:3f:13:4f:36:eb:91:33:7f:ef:7f:0d:a8:bd:
                    aa:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:*.answers.yahoo.com, DNS:*.antispam.yahoo.com, DNS:*.api.fantasysports.yahoo.com, DNS:*.auctions.yahoo.com, DNS:*.autos.
yahoo.com, DNS:*.calendar.yahoo.com, DNS:*.celebrity.yahoo.com, DNS:*.cricket.yahoo.com, DNS:*.deals.yahoo.com, DNS:*.eurosport.yahoo.com, D
NS:*.everything.yahoo.com, DNS:*.fantasysports.yahoo.com, DNS:*.finance.yahoo.com, DNS:*.flickr.com, DNS:*.football.fantasysports.yahoo.com,
 DNS:*.games.yahoo.com, DNS:*.geo.yahoo.com, DNS:*.groups.yahoo.com, DNS:*.help.yahoo.com, DNS:*.lifestyle.yahoo.com, DNS:*.m.yahoo.com, DNS
:*.mail.yahoo.com, DNS:*.maktoob.com, DNS:*.messenger.yahoo.com, DNS:*.mg.mail.yahoo.com, DNS:*.movies.yahoo.com, DNS:*.msg.yahoo.com, DNS:*
.mujer.yahoo.com, DNS:*.music.yahoo.com, DNS:*.my.yahoo.com, DNS:*.news.yahoo.com, DNS:*.notepad.yahoo.com, DNS:*.noticias.yahoo.com, DNS:*.
protrade.com, DNS:*.safely.yahoo.com, DNS:*.screen.yahoo.com, DNS:*.search.yahoo.com, DNS:*.secure.yahoo.com, DNS:*.seguridad.yahoo.com, DNS
:*.shine.yahoo.com, DNS:*.sports.yahoo.com, DNS:*.staticflickr.com, DNS:*.travel.yahoo.com, DNS:*.tv.yahoo.com, DNS:*.video.yahoo.com, DNS:*
.wc.fantasysports.yahoo.com, DNS:*.wc.yahoodns.net, DNS:*.weather.yahoo.com, DNS:*.yahoo.com, DNS:*.yahooapis.com, DNS:*.ybp.yahoo.com, DNS:
*.ymail.com, DNS:*.yql.yahoo.com, DNS:*.ysm.yahoo.com, DNS:flic.kr, DNS:flickr.com, DNS:s.wc.yahoo.net, DNS:www.yahoo.com, DNS:yahooapis.com
, DNS:ymail.com
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies:
                Policy: 2.16.840.1.113733.1.7.54
                  CPS: https://d.symcb.com/cps
                  User Notice:
                    Explicit Text: https://d.symcb.com/rpa

            X509v3 Authority Key Identifier:
                keyid:0D:44:5C:16:53:44:C1:82:7E:1D:20:AB:25:F4:01:63:D8:BE:79:A5

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://sd.symcb.com/sd.crl

            Authority Information Access:
                OCSP - URI:http://sd.symcd.com
                CA Issuers - URI:http://sd.symcb.com/sd.crt

    Signature Algorithm: sha1WithRSAEncryption
         4e:d8:8e:a6:b2:ab:48:8a:d9:d3:fc:76:39:2c:be:1a:c9:d6:
         cd:84:63:57:48:d3:76:57:e2:61:85:b9:de:06:8c:59:d0:d9:
         a1:7e:e7:57:26:e0:12:98:98:58:16:79:52:7c:62:53:1b:1e:
         ed:aa:f5:61:19:53:c0:2b:a9:94:45:d0:ab:1c:ec:cb:e9:00:
         43:57:1c:c3:06:bf:43:c4:b5:82:1d:45:b2:73:27:7d:59:9e:
         7e:fc:a5:51:4f:bf:37:58:e8:17:6f:96:2e:6a:7f:dd:d9:12:
         b1:20:fc:15:2c:ea:b2:ac:09:0d:c2:41:03:c8:7d:06:b3:93:
         19:3e:bc:6c:0e:c1:47:3f:92:2d:2d:1c:49:e8:6b:3a:2c:d5:
         fe:20:db:67:47:16:f3:7b:14:0b:3c:b6:41:2a:db:72:52:28:
         dc:af:10:75:d6:47:ee:46:00:95:c6:46:09:63:ee:b9:f6:65:
         7d:eb:25:a9:3f:7f:98:b2:71:5c:21:65:7d:10:ff:17:ae:ba:
         b4:1f:37:22:57:f1:1b:e2:9e:a5:70:e6:fe:f8:f3:a5:79:41:
         7e:80:6e:62:ad:e7:93:72:af:cd:ef:dd:b7:60:2b:82:92:1e:
         72:12:d6:9b:73:58:3f:c2:1f:5c:01:a9:15:ec:cd:e3:70:c0:
         d0:a8:15:ac

Warum LWP + IO::Socket::SSL das nicht prüfen will, kann ich nicht sagen :(

die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

+6 replies

GwenDragon

2015-04-03 18:21

User since
2005-01-17
14607 Artikel
Admin1

Code (perl): (dl )

use strict;
use warnings;
use IO::Socket::SSL qw(debug3);
use LWP::UserAgent; 
use Mozilla::CA;

IO::Socket::SSL::set_ctx_defaults( 
        SSL_verify_mode => SSL_VERIFY_CLIENT_ONCE,
        SSL_ca_file => Mozilla::CA::SSL_ca_file(),
);

my $ua  = LWP::UserAgent->new (); 
my $req = HTTP::Request->new(
    GET => 
        'https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7'
);

my $res = $ua->request($req);

print $req->as_string;

print $res->status_line, "\n";

print $res->headers_as_string;

ergibt:

Code: (dl )

DEBUG: .../IO/Socket/SSL.pm:2602: new ctx 31057272
DEBUG: .../IO/Socket/SSL.pm:542: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:544: socket connected
DEBUG: .../IO/Socket/SSL.pm:566: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:599: using SNI with hostname api.flickr.com
DEBUG: .../IO/Socket/SSL.pm:634: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:653: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2458: ok=0 cert=52823648
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1791: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:1796: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:673: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:542: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:544: socket connected
DEBUG: .../IO/Socket/SSL.pm:566: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:599: using SNI with hostname api.flickr.com
DEBUG: .../IO/Socket/SSL.pm:634: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:2458: ok=0 cert=52823312
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1791: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:1796: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:673: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1780: IO::Socket::IP configuration failed
DEBUG: .../IO/Socket/SSL.pm:2635: free ctx 31057272 open=31057272
DEBUG: .../IO/Socket/SSL.pm:2640: free ctx 31057272 callback
DEBUG: .../IO/Socket/SSL.pm:2647: OK free ctx 31057272
GET https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7
User-Agent: libwww-perl/6.13

500 Can't connect to api.flickr.com:443
Content-Type: text/plain
Client-Date: Fri, 03 Apr 2015 16:20:22 GMT
Client-Warning: Internal response

Da muss sich wohl jemand reinhängen der IO::Socket::SSL besser kennt :/

die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

+2 replies
BF68

2015-04-03 21:39

User since
2015-04-03
12 Artikel
BenutzerIn

Hallo,
mir hat Dein Tipp schon sehr geholfen. Zumindest der erste Schritt funktioniert ja nun. Ich hatte ja auch nur ein 's' zuviel... :)

Noch eine Frage: wo platzier ich hier im Forum am Besten fragen zur Programmierung mit Perl zur Nutzung der Flickr API?

Vielen Dank

Bernhard
- GwenDragon
  
  2015-04-04 09:08
  
  User since
  2005-01-17
  14607 Artikel
  Admin1
  
  Ich denke das Forum Netzwerkprogrammierung und Netzwerke mit Perl passt eher weil es ja um einen Zugang zur API über das Web geht.
  Verschieben kann ich es ja immer noch, wenn es nicht passt.
  die Drachin Gwen
  
  Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten
bianca

2015-04-04 06:48

User since
2009-09-13
6991 Artikel
BenutzerIn

Das ist ziemlich komisch alles. Ging mir auch ständig so bei meinem Perl und Module Update. Hab oft gedacht, dass die gute neue HTTPS Welt in den Modulen irgendwie noch ein bisschen hakelt.
10 print "Hallo"
20 goto 10
noxxi

2015-04-07 18:34

User since
2015-04-07
18 Artikel
BenutzerIn

2015-04-03T16:21:33 GwenDragon

Da muss sich wohl jemand reinhängen der IO::Socket::SSL besser kennt :/

Problem ist vermutlich eine zu aktuelle Version von Mozilla::CA. Mozilla hat diverse Root-Zertifikate wegen 1024-Bit RSA entfernt. I.A. gibt es in diesen Fällen alternative Trustpfade, die die Browser auch fleißig nutzen. OpenSSL jedoch hat ein Problem mit alternativen Trustpfaden, für Details siehe http://kriscience.blogspot.de/2013/03/supporting-t....

Was kann man tun:
* Downgrade auf eine ältere Version von Mozilla::CA. Die Version 20130114 funktioniert noch, die aktuelle Version 20141217 jedoch nicht mehr.
* Oder das fehlende CA-Zertifikat direkt über die Option "SSL_ca_file" einbinden. Das Zertifikat kann man auf http://www.symantec.com/content/en/us/enterprise/v... bekommen.
Last edited: 2015-04-07 18:54:07 +0200 (CEST)

GwenDragon

2015-04-07 20:59

User since
2005-01-17
14607 Artikel
Admin1

Bislang klappt es nur mit einem originalen Strawberry-Perl 5.12.3 mit:

Code (perl): (dl )

use IO::Socket::SSL qw(debug3);
use LWP::UserAgent; 

IO::Socket::SSL::set_ctx_defaults( 
        SSL_verify_mode => SSL_VERIFY_PEER ,
        SSL_ca_file => "1.pem",
);

my $ua  = LWP::UserAgent->new (); 
my $req = HTTP::Request->new(
    GET => 
        'https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7'
);

my $res = $ua->request($req);

print $req->as_string;

print $res->status_line, "\n";

print $res->headers_as_string;

und dem Zertifikat http://www.symantec.com/content/en/us/enterprise/v...

1.pem:

Code: (dl )

ergibt:

Code: (dl )

DEBUG: .../IO/Socket/SSL.pm:1464: new ctx 46009944
DEBUG: .../IO/Socket/SSL.pm:334: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:336: socket connected
DEBUG: .../IO/Socket/SSL.pm:349: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:392: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:447: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:1500: free ctx 46009944 open=46009944
DEBUG: .../IO/Socket/SSL.pm:1508: OK free ctx 46009944
GET https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7
User-Agent: libwww-perl/5.837

200 OK
Cache-Control: private
Connection: close
Date: Tue, 07 Apr 2015 18:58:13 GMT
Via: http/1.1 fts101.flickr.bf1.yahoo.com (ApacheTrafficServer/4.0.2 [cMsSf ]), http/1.1 r07.ycpi.dea.yahoo.net (ApacheTrafficServer [cMsSf ])
Age: 0
Server: ATS
Vary: Accept-Encoding
Content-Length: 109
Content-Type: text/xml; charset=utf-8
Client-Date: Tue, 07 Apr 2015 18:58:10 GMT
Client-Peer: 188.125.93.38:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
Client-SSL-Cert-Subject: /C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com
Client-SSL-Cipher: RC4-SHA
Client-SSL-Warning: Peer certificate not verified
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Strict-Transport-Security: max-age=259200
X-Robots-Tag: noindex
X-Served-By: www67.flickr.bf1.yahoo.com

Dass es nur mit Uralt-LWP und -IO-Socket-SSL geht, stimmt nicht gerade freudig.

//EDIT:
Strawberry Perl 5.14.4.1 32bit (mit letzten Updates) auf Win 7 x64

Code (perl): (dl )

use strict; use warnings;
use IO::Socket::SSL qw(debug3);
use LWP::UserAgent; 

my $ua  = LWP::UserAgent->new; 
$ua->ssl_opts( 
    SSL_verify_mode => SSL_VERIFY_PEER,
    SSL_ca_file => '1.pem',
 );
my $req = HTTP::Request->new(
    GET => 
        'https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7'
);

my $res = $ua->request($req);

print $req->as_string;
print $res->status_line, "\n";
print $res->headers_as_string;

erzeugt

Code: (dl )

DEBUG: .../IO/Socket/SSL.pm:2602: new ctx 32724688
DEBUG: .../IO/Socket/SSL.pm:542: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:544: socket connected
DEBUG: .../IO/Socket/SSL.pm:566: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:599: using SNI with hostname api.flickr.com
DEBUG: .../IO/Socket/SSL.pm:634: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:653: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=52275728
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=52276064
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=52275840
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=42283792
DEBUG: .../IO/Socket/SSL.pm:1570: scheme=www cert=42283792
DEBUG: .../IO/Socket/SSL.pm:1580: identity=api.flickr.com cn=www.yahoo.com alt=2 *.answers.yahoo.com 2 *.antispam.yahoo.com 2 *.api.fantasysports.yahoo.com 2 *.auctions.yahoo.com 2 *.autos.yahoo.com 2 *.calendar.yahoo.com 2 *.celebrity.yahoo.com 2 *.cricket.yahoo.com 2 *.deals.yahoo.com 2 *.eurosport.yahoo.com 2 *.everything.yahoo.com 2 *.fantasysports.yahoo.com 2 *.finance.yahoo.com 2 *.flickr.com 2 *.football.fantasysports.yahoo.com 2 *.games.yahoo.com 2 *.geo.yahoo.com 2 *.groups.yahoo.com 2 *.help.yahoo.com 2 *.lifestyle.yahoo.com 2 *.m.yahoo.com 2 *.mail.yahoo.com 2 *.maktoob.com 2 *.messenger.yahoo.com 2 *.mg.mail.yahoo.com 2 *.movies.yahoo.com 2 *.msg.yahoo.com 2 *.mujer.yahoo.com 2 *.music.yahoo.com 2 *.my.yahoo.com 2 *.news.yahoo.com 2 *.notepad.yahoo.com 2 *.noticias.yahoo.com 2 *.protrade.com 2 *.safely.yahoo.com 2 *.screen.yahoo.com 2 *.search.yahoo.com 2 *.secure.yahoo.com 2 *.seguridad.yahoo.com 2 *.shine.yahoo.com 2 *.sports.yahoo.com 2 *.staticflickr.com 2 *.travel.yahoo.com 2 *.tv.yahoo.com 2 *.video.yahoo.com 2 *.wc.fantasysports.yahoo.com 2 *.wc.yahoodns.net 2 *.weather.yahoo.com 2 *.yahoo.com 2 *.yahooapis.com 2 *.ybp.yahoo.com 2 *.ymail.com 2 *.yql.yahoo.com 2 *.ysm.yahoo.com 2 flic.kr 2 flickr.com 2 s.wc.yahoo.net 2 www.yahoo.com 2 yahooapis.com 2 ymail.com
DEBUG: .../IO/Socket/SSL.pm:2508: got stapled OCSP response
run basic verify at C:/strawberry/perl/site/lib/IO/Socket/SSL.pm line 2515.
found issuer in chain at C:/strawberry/perl/site/lib/IO/Socket/SSL.pm line 2522.
found issuer in chain at C:/strawberry/perl/site/lib/IO/Socket/SSL.pm line 2522.
got issuer at C:/strawberry/perl/site/lib/IO/Socket/SSL.pm line 2522.
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:722: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:735: got OCSP success with stapling
DEBUG: .../IO/Socket/SSL.pm:2635: free ctx 32724688 open=32724688
DEBUG: .../IO/Socket/SSL.pm:2640: free ctx 32724688 callback
DEBUG: .../IO/Socket/SSL.pm:2647: OK free ctx 32724688
GET https://api.flickr.com/services/rest/?method=flickr.auth.getFrob&api_key=df2c4935d4a2dedb9e618f400e808b4c&format=rest&auth_token=72157651265610617-7929d0e254995744&api_sig=8b0edba90343f1593dcb14ad39ce07d7
User-Agent: libwww-perl/6.13

200 OK
Cache-Control: private
Connection: close
Date: Tue, 07 Apr 2015 19:16:26 GMT
Via: http/1.1 fts125.flickr.bf1.yahoo.com (ApacheTrafficServer/4.0.2 [cMsSf ]), http/1.1 r10.ycpi.dea.yahoo.net (ApacheTrafficServer [cMsSf ])
Age: 0
Server: ATS
Vary: Accept-Encoding
Content-Length: 109
Content-Type: text/xml; charset=utf-8
Client-Date: Tue, 07 Apr 2015 19:16:23 GMT
Client-Peer: 188.125.93.38:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
Client-SSL-Cert-Subject: /C=US/ST=California/L=Sunnyvale/O=Yahoo Inc./CN=www.yahoo.com
Client-SSL-Cipher: ECDHE-RSA-AES128-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL
P3P: policyref="http://info.yahoo.com/w3c/p3p.xml", CP="CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV"
Strict-Transport-Security: max-age=259200
X-Robots-Tag: noindex
X-Served-By: www252.flickr.bf1.yahoo.com

Last edited: 2015-04-07 21:19:40 +0200 (CEST)

die Drachin Gwen

Meine Perl-Artikel · perldev – verschiedene Perl-Versionen unter Windows starten

View all threads created 2015-04-03 14:56.