1 2 3 4 5 6 7 8 9 10 11 12 13
#!/usr/bin/perl use strict; use warnings; use Net::FTP 3.07; use Net::FTP::File 0.06 ; use IO::Socket::SSL 2.012; use Net::SSLeay 1.68; my $ftp = Net::FTP->new( 'hosturl', Timeout => 10, SSL_cert_file => 'cacert.pem', # dies ist die Datei aus Mozilla::CA Version 20150826 ) or do { print "\$@ = '$@'"; exit(); }
Quoted:\meinvers>perl -MIO::Socket::SSL=debug4 test_ftp.pl
DEBUG: .../IO/Socket/SSL.pm:1791: Failed to use private key
SSL error: 1896: 1 - error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
SSL error: 1896: 2 - error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 1896: 3 - error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 1896: 4 - error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib
SSL error: 1896: 5 - error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
SSL error: 1896: 6 - error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
SSL error: 1896: 7 - error:140B000D:SSL routines:SSL_CTX_use_PrivateKey_file:ASN1 lib
DEBUG: .../IO/Socket/SSL.pm:1796: Failed to use private key error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
2015-10-14T17:11:43 bianca...
SSL_cert_file => 'cacert.pem', # dies ist die Datei aus Mozilla::CA Version 20150826
...
DEBUG: .../IO/Socket/SSL.pm:1791: Failed to use private key
...
Welches Problem liegt hier vor?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
#!/usr/bin/perl use strict; use warnings; use Net::FTP 3.07; use Net::FTP::File 0.06; # perl -MIO::Socket::SSL=debug4 test_ftp.pl my $ftp = Net::FTP->new( 'hosturl', Timeout => 10, SSL_ca_file => 'mozilla_cacert.pem', # dies ist die Datei aus Mozilla::CA Version 20150826 debug => 1, ) or do { print "\$@ = '$@'"; exit(); }; $ftp->starttls() or print "mist";
QuoteDEBUG: .../IO/Socket/SSL.pm:2602: new ctx 38895600
DEBUG: .../IO/Socket/SSL.pm:542: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:544: socket connected
DEBUG: .../IO/Socket/SSL.pm:566: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:599: using SNI with hostname hosturl
DEBUG: .../IO/Socket/SSL.pm:634: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:653: set socket to non-blocking to enforce timeout=10
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2505: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:677: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:687: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:707: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=44777104
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=45582208
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=45581824
DEBUG: .../IO/Socket/SSL.pm:2458: ok=1 cert=45581632
DEBUG: .../IO/Socket/SSL.pm:1570: scheme=ftp cert=45581632
DEBUG: .../IO/Socket/SSL.pm:1580: identity=hosturl cn=*.xxxx .com alt=2 *.xxxx .com 2 xxxx .com
DEBUG: .../IO/Socket/SSL.pm:1780: hostname verification failed
DEBUG: .../IO/Socket/SSL.pm:667: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1791: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1796: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:673: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:2635: free ctx 38895600 open=38895600
DEBUG: .../IO/Socket/SSL.pm:2640: free ctx 38895600 callback
DEBUG: .../IO/Socket/SSL.pm:2647: OK free ctx 38895600
mist
QuoteDEBUG: .../IO/Socket/SSL.pm:1796: Invalid certificate authority locations
$@ = ''
SSL_hostname => 'mx.example.com'
DEBUG: .../IO/Socket/SSL.pm:1580: identity=hosturl cn=*.xxxx .com alt=2 *.xxxx .com 2 xxxx .com
Quote?verify client once; ignored for clients
http://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html#NOTESSSL_VERIFY_CLIENT_ONCE
Server mode: only request a client certificate on the initial TLS/SSL handshake. Do not ask for a client certificate again in case of a renegotiation. This flag must be used together with SSL_VERIFY_PEER.
Client mode: ignored
2015-10-16T08:07:06 GwenDragonDas bedeutet: gilt nur für eine Verbindung, bei der clientseitige Zertifikate verwendet werden.
1 2 3 4 5 6 7 8 9
use Net::FTP 3.07; use IO::Socket::SSL 2.012 qw(debug1); use Net::SSLeay 1.68; my $ftp = Net::FTP->new( 'ftp.gwendragon.de', SSL_verify_mode => SSL_VERIFY_CLIENT_ONCE, ) or do { print "\$@ = '$@'"; exit(); }; $ftp->starttls;