Net::SSLeay::OO::Context - OO interface to Net::SSLeay CTX_ methods
use Net::SSLeay::OO::Constants qw(OP_ALL FILETYPE_PEM OP_NO_SSLv2); use Net::SSLeay::OO::Context; # create an SSL object, disable SSLv2 my $ctx = Net::SSLeay::OO::Context->new; $ctx->set_options(OP_ALL & OP_NO_SSLv2); # specify path to your CA certificates for verifying peer $ctx->load_verify_locations($ca_filename, $db_dir); # optional for clients - load our own certificate/key $ctx->use_certificate_chain_file($cert_filename); $ctx->use_PrivateKey_file($key_filename, FILETYPE_PEM); # optional for servers - require peer certificates $ctx->set_verify(VERIFY_PEER & VERIFY_FAIL_IF_NO_PEER_CERT); # now make SSL objects with these options! use Net::SSLeay::OO::SSL; my $ssl = Net::SSLeay::OO::SSL->new( ctx => $ctx ); # convenience method for the above, plus attach to a socket my $ssl = $ctx->new_ssl($socket);
Every SSL connection has a context, which specifies various options. You can also specify these options on Net::SSLeay::OO::SSL objects, but you would normally want to set up as much as possible early on, then re-use the context to create new SSL handles.
The OpenSSL library initialization functions are called the first time that a Net::SSLeay::OO::Context object is instantiated.
The raw ctx object. Use at your own risk.
Specify the SSL version to allow. 10 means TLSv1, 2 and 3 mean SSLv2 and SSLv3, respectively. No options means 'SSLv23'; if you want to permit the secure protocols only (SSLv3 and TLSv1) you need to use:
use Net::SSLeay::OO::Constants qw(OP_NO_SSLv2); my $ctx = Net::SSLeay::OO::Context->new(); $ctx->set_options( OP_NO_SSLv2 )
This option must be specified at object creation time.
All of the CTX_ methods in Net::SSLeay are converted to methods of the Net::SSLeay::OO::Context class.
The documentation that follows is a core set, sufficient for running up a server and verifying client certificates. However most functions from the OpenSSL library are actually imported.
Set options that apply to this Context. The valid values and descriptions can be found on SSL_CTX_set_options(3ssl); for this module they must be imported from Net::SSLeay::OO::Constants.
Returns the current options bitmask; mask with the option you're interested in to see if it is set:
unless ($ctx->get_options & OP_NO_SSLv2) { die "SSL v2 was not disabled!"; }
Specify where CA certificates in PEM format are to be found. $filename is a single file containing one or more certificates. $path refers to a directory with 9d66eef0.1 etc files as would be made by c_rehash. See SSL_CTX_load_verify_locations(3ssl).
$filename
$path
9d66eef0.1
Sets up system-dependent certificate store location. This is probably quite a good default.
Mode should be either VERIFY_NONE, or a combination of VERIFY_PEER, VERIFY_CLIENT_ONCE and/or VERIFY_FAIL_IF_NO_PEER_CERT. If you don't set this as a server, you cannot later call ->get_peer_certificate to find out if the client configured a certificate (though there are references to repeating SSL negotiation, eg in SSL_read(3ssl), not sure how this is performed though).
->get_peer_certificate
During the handshake phase, the $verify_callback is called once for every certificate in the chain of the peer, starting with the root certificate. Each time, it is passed two arguments: the first a boolean (1 or 0) which indicates whether the in-built certificate verification passed, and the second argument is the actual certficate which is being verified (a Net::SSLeay::OO::X509 object). Note this is different to the calling convention of OpenSSL and Net::SSLeay, which instead (logically, anyway) pass a Net::SSLeay::OO::X509::Context object. However there is little of interest in this other object, so for convenience the current certificate is passed instead as the second object. The Net::SSLeay::OO::X509::Context is passed as a third argument should you need it.
The passed Net::SSLeay::OO::X509 object will not work outside of the callback; get everything out of it that you need inside it, or use the get_peer_certificate method of Net::SSLeay::OO::SSL later.
get_peer_certificate
Example:
my @names; $ctx->set_verify(VERIFY_PEER, sub { my ($ok, $x509) = @_; push @names, $x509->subject_name->cn; return $ok; }); $ssl = $ctx->new_ssl($fd); $ssl->accept(); print "Client identity chain: @names\n";
$filename is the name of a local file. This becomes your local cert - client or server.
$type may be FILETYPE_PEM or FILETYPE_ASN1.
$type
$filename is the name of a local PEM file, containing a chain of certificates which lead back to a valid root certificate. In general, this is the more useful method of loading a certificate.
If using a certificate, you need to specify the private key of the end of the chain. Specify it here; set $type as with use_certificate_file
use_certificate_file
Sets/gets the mode of SSL objects created from this context. See SSL_set_mode(3ssl). This is documented more fully at "set_mode" in Net::SSLeay::OO::SSL
Makes a new Net::SSLeay::OO::SSL object using this Context, and attach it to the given socket (if passed).
Further convenience methods, which create a new Net::SSLeay::OO::SSL object, wire it up to the passed socket, then call either connect or accept. Returns the Net::SSLeay::OO::SSL object.
connect
accept
Returns the Net::SSLeay::OO::X509::Store associated with this context.
The following methods were defined in Net::SSLeay 1.35, and may work via this interface.
v2_new() v3_new() v23_new() tlsv1_new() new_with_method(meth) add_session(ctx,ses) remove_session(ctx,ses) flush_sessions(ctx,tm) use_RSAPrivateKey_file(ctx,file,type) set_cipher_list(s,str) ctrl(ctx,cmd,larg,parg) get_options(ctx) set_options(ctx,op) sessions(ctx) sess_number(ctx) sess_connect(ctx) sess_connect_good(ctx) sess_connect_renegotiate(ctx) sess_accept(ctx) sess_accept_renegotiate(ctx) sess_accept_good(ctx) sess_hits(ctx) sess_cb_hits(ctx) sess_misses(ctx) sess_timeouts(ctx) sess_cache_full(ctx) sess_get_cache_size(ctx) sess_set_cache_size(ctx,size) add_client_CA(ctx,x) callback_ctrl(ctx,i,fp) check_private_key(ctx) get_ex_data(ssl,idx) get_quiet_shutdown(ctx) get_timeout(ctx) get_verify_depth(ctx) get_verify_mode(ctx) set_cert_store(ctx,store) get_cert_store(ctx) set_cert_verify_callback(ctx,func,data=NULL) set_client_CA_list(ctx,list) set_default_passwd_cb(ctx,func=NULL) set_default_passwd_cb_userdata(ctx,u=NULL) set_ex_data(ssl,idx,data) set_purpose(s,purpose) set_quiet_shutdown(ctx,mode) set_ssl_version(ctx,meth) set_timeout(ctx,t) set_trust(s,trust) set_verify_depth(ctx,depth) use_RSAPrivateKey(ctx,rsa) get_ex_new_index(argl,argp,new_func,dup_func,free_func) set_session_id_context(ctx,sid_ctx,sid_ctx_len) set_tmp_rsa_callback(ctx, cb) set_tmp_dh_callback(ctx, dh) add_extra_chain_cert(ctx,x509) get_app_data(ctx) get_mode(ctx) get_read_ahead(ctx) get_session_cache_mode(ctx) need_tmp_RSA(ctx) set_app_data(ctx,arg) set_mode(ctx,op) set_read_ahead(ctx,m) set_session_cache_mode(ctx,m) set_tmp_dh(ctx,dh) set_tmp_rsa(ctx,rsa)
Sam Vilain, samv@cpan.org
Copyright (C) 2009 NZ Registry Services
This program is free software: you can redistribute it and/or modify it under the terms of the Artistic License 2.0 or later. You should have received a copy of the Artistic License the file COPYING.txt. If not, see <http://www.perlfoundation.org/artistic_license_2_0>
Net::SSLeay::OO, Net::SSLeay::OO::Constants, Net::SSLeay::SSL, Net::SSLeay::OO::X509, Net::SSLeay::Error
To install Net::SSLeay::OO, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Net::SSLeay::OO
CPAN shell
perl -MCPAN -e shell install Net::SSLeay::OO
For more information on module installation, please visit the detailed CPAN module installation guide.