perl Client-SSL-Warning: Peer certificate not verified

Jeremey picture Jeremey · Jun 1, 2010 · Viewed 17k times · Source

I am having trouble with a perl screenscraper to an HTTPS site. In debugging, I ran the following:

print $res->headers_as_string;

and in the output, I have the following line:

Client-SSL-Warning: Peer certificate not verified

Is there a way I can auto-accept this certificate, or is that not the problem?

#!/usr/bin/perl 
use LWP::UserAgent; 
use Crypt::SSLeay::CTX; 
use Crypt::SSLeay::Conn; 
use Crypt::SSLeay::X509; 
use LWP::Simple qw(get);

my $ua  = LWP::UserAgent->new; 
my $req = HTTP::Request->new(GET => 'https://vzw-cat.sun4.lightsurf.net/vzwcampaignadmin/');
my $res = $ua->request($req);

print $res->headers_as_string;

output:

Cache-Control: no-cache
Connection: close
Date: Tue, 01 Jun 2010 19:28:08 GMT
Pragma: No-cache
Server: Apache
Content-Type: text/html
Expires: Wed, 31 Dec 1969 16:00:00 PST
Client-Date: Tue, 01 Jun 2010 19:28:09 GMT
Client-Peer: 64.152.68.114:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
Client-SSL-Cert-Subject: /C=US/ST=Massachusetts/L=Boston/O=verizon wireless/OU=TERMS OF USE AT WWW.VERISIGN.COM/RPA (C)00/CN=PSMSADMIN.VZW.COM
Client-SSL-Cipher: DHE-RSA-AES256-SHA
Client-SSL-Warning: Peer certificate not verified
Client-Transfer-Encoding: chunked
Link: <css/vtext_style.css>; rel="stylesheet"; type="text/css"
Set-Cookie: JSESSIONID=DE6C99EA2F3DD1D4DF31456B94F16C90.vz3; Path=/vzwcampaignadmin; Secure
Title: Verizon Wireless - Campaign Administrator

UPDATE: I added

$ENV{HTTPS_CA_FILE}   = 'certs/PSMSADMIN.VZW.COM';
$ENV{HTTPS_CA_DIR}    = 'certs/';

as suggested below. I also turned on debugging:

$ENV{HTTPS_DEBUG} = 1;

Here is my output:

SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello B
content: 500 SSL negotiation failed: error:1407E086:SSL routines:SSL2_SET_CERTIFICATE:certificate verify failed

I try to ignore the failure, but the problem is that that is the only thing on the page now, so no login form or anything.

Answer

jasonmp85 picture jasonmp85 · Jun 1, 2010

As near as I can tell, this is only a warning. The certificate on that site does not match the domain, so perl is (rightfully) complaining about it. If you actually turn on peer certificate verification like so:

# CA cert peer verification
$ENV{HTTPS_CA_FILE}   = 'certs/ca-bundle.crt';
$ENV{HTTPS_CA_DIR}    = 'certs/';

You'll get this as your output:

Content-Type: text/plain
Client-Date: Tue, 01 Jun 2010 19:32:51 GMT
Client-Warning: Internal response
500 SSL negotiation failed: error:1407E086:SSL
      routines:SSL2_SET_CERTIFICATE:certificate verify failed
Content-Type: text/plain
Client-Date: Tue, 01 Jun 2010 19:32:51 GMT
Client-Warning: Internal response

There is a method named get_peer_verify in Net::SSL (which Crypt::SSLeay provides) which returns whether or not peer verification is desired. I believe it was added in 2001 or so in order to enable this message to be hidden. This patch from 2002 claims to turn off the warning when peer verification is not desired, but I don't think it was ever applied.

So in short, you can probably ignore the warning unless you mean to be doing verification, in which case I'd say add the root cert to your CA_DIR and CA_FILE. But since the cert's domain doesn't match the domain of the server, I'm not even sure that this will help.