AnyEvent::TLS and client certs

[Marc Lehmann]

On Tue, Feb 28, 2012 at 03:18:10PM -0800, Mike Schilli <anyevent at perlmeister.com> wrote:
> with AnyEvent. While the server hands out its cert and the client runs
> it against its ca file flawlessly, something's wrong with the client
> cert setup.

Stupid question #1 - the ca cert you use on the server atcually verifies
the client certificate successfully (also is in it'S validity period, has
a common name etc.).

You might be able to use openssl s_client to verify a connection.

> So this has to do with the client cert verification by the server,
> for some reason the client doesn't seem to send it (just to verify,

openssl s_client with some verbosity option will tell you whether
something si wrong with the certificate, and whether it sends - the server
message, in typical openssl style, could also mean that the peer didn't
come up with a valid certificate.

> Anything I'm missing in the setup above?

Nothing obvious, I mostly use the same setup in AnyEvent::MP::Transport.

         $self->{tls_ctx} = {
            sslv2   => 0,
            sslv3   => 0,
            tlsv1   => 1,
            verify  => 1,
            cert    => $config->{cert},
            ca_cert => $config->{cert},
            verify_require_client_cert => 1,
         };

(cert, key and cacert are all in the same string).

If you can come up with a test program that shows the problem then I will
look into it (t/80_sslcert.t as basis might or might not be of help).

Also, which openssl version is this? I got a report that 1.0.1 beta 2
apparently breaks AnyEvent::TLS, but I don't know any details yet.

-- 
                The choice of a       Deliantra, the free code+content MORPG
      -----==-     _GNU_              http://www.deliantra.net
      ----==-- _       generation
      ---==---(_)__  __ ____  __      Marc Lehmann
      --==---/ / _ \/ // /\ \/ /      schmorp at schmorp.de
      -=====/_/_//_/\_,_/ /_/\_\