Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Designating Trust on First Use with IO::Socket::SSL SSL_verify_mode

by mldvx4 (Friar)
on Feb 05, 2022 at 10:40 UTC ( [id://11141147] : perlquestion . print w/replies, xml ) Need Help??

mldvx4 has asked for the wisdom of the Perl Monks concerning the following question:

If I set SSL_verify_mode => SSL_VERIFY_PEER then the following script no longer fetches pages from the Gemini host which it points to. However, using SSL_verify_mode => SSL_VERIFY_NONE skips verifying the certificate at all. How can I modify the script so that the certificate is stored the first time it is seen and checked each subsequent connection? In other words, I would like it have it run with "Trust on First Use".

#!/usr/bin/perl use IO::Socket::SSL; use strict; use warnings; my $cl = IO::Socket::SSL->new( PeerHost => '', PeerPort => 1965, SSL_hostname => '', SSL_verify_mode => SSL_VERIFY_NONE, ) or die("Failed to connect: $!, '$SSL_ERROR'\n"); my $url = "gemini://"; print $cl $url,"\r\n\r\n"; while (my $line = <$cl> ){ print qq($line); } exit(0);

Replies are listed 'Best First'.
Re: Designating Trust on First Use with IO::Socket::SSL SSL_verify_mode
by Corion (Patriarch) on Feb 05, 2022 at 10:59 UTC

    I think you need to implement that yourself. It doesn't seem "that hard". You can use the SSL_verify_callback callback of IO::Socket::SSL to do the store and verification. You can get at the certificate with Net::SSLeay::PEM_get_string_X509() (according to the documentation) and then compare or store.