| Subject: | Add support for SHA-2 signed certificates |
| Date: | Tue, 14 May 2013 16:18:58 +0200 |
| To: | bug-IO-Socket-SSL [...] rt.cpan.org |
| From: | Újvári Áron <ujvari [...] microsec.hu> |
Dear IO-Socket-SSL Maintainer!
MD5 signed certificates were obsoleted some times ago and these days
SHA-1 signed certificates became considered weak. It's time to move to
SHA-2 signed certificates.
There are countries, like Hungary, where registered certificate
authorities must obey the rules national government authorities (NMHH in
Hungary) who presumably will disallow the issue of SHA-1 signed
certificates in the near future.
As of IO-Socket-SSL version 1.88 it seem that it does not support SHA-2
signed certificates. Using it with LWP we get the next error message
during the verification of an SHA-2 signed website certificate:
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown
message digest algorithm at
/usr/lib/perl5/site_perl/5.10.0/LWP/Protocol/http.pm line 51.
There is a bug for cURL about the very same problem, and probably the
same resolution will apply for IO-Socket-SSL also:
http://sourceforge.net/p/curl/bugs/848/
You should call Net::SSLeay::OpenSSL_add_all_digests() in the
Net::SSLeay initialization block in the BEGIN section of IO::Socket:SSL:
# Do Net::SSLeay initialization
Net::SSLeay::load_error_strings();
Net::SSLeay::SSLeay_add_ssl_algorithms();
Net::SSLeay::OpenSSL_add_all_digests(); # <--- NEW line
Net::SSLeay::randomize();
As a workaround calling Net::SSLeay::OpenSSL_add_all_digests() by hand
after the "use IO::Socket::SSL" seems to work well.
Best regards,
Aron Ujvari
IT Systems Engineer
Microsec Ltd.
--
Újvári Áron | Email | aron.ujvari@microsec.hu
IT rendszermérnök | Tel | +36 1 802-4425
| Fax | +36 1 505-4445
Microsec zrt. | Web | www.microsec.hu