I wanted to build an awesome place for people to discuss module specific issues, but I don't have any more time for this, and there are much better places to discuss Perl-related issues. I'd recommend asking your question on Stack Overflow or on Perl Monks.
If you are looking for a Perl tutorial or Perl-related news, I hope these links will serve you well.
IO-Socket-SSL
Posted on 2007-06-14 06:10:47-07 by noxxi in response to 5433
Re: Checking of hostname missing

Yes I think it would be good to have something like this either in IO::Socket::SSL or Net::SSLeay.

But currently I see only one module (Crypt::X509) which gives you access to the subjAltName extension of the certificate. And unfortunatly this module needs to get the certificate from a file, a design which doesn't really fit into the design of IO::Socket::SSL, e.g. it would be necessary to use a tempfile which is not an option I like, given that openssl provides all the necessary function, only that they are not available through Net::SSLeay.

I think the best way would be to add functionality to Net::SSLeay so that subjAltName could be extracted and the checked within IO::Socket::SSL. Checking the CN only is not enough, for instance signin.ebay.DE send a certificate for signin.ebay.COM and signin.ebay.DE is only mentioned within the subjAltName.

As for the callback: I don't think it's easy to get info which part of the chain is currently checked. So if you just want to check the top most certificate it could be easier to don't use the verify_callback but check against the infos you get from $socket->peer_certificate after the builtin verification succeeded (e.g. the SSL connection is set up).

Direct Responses: Write a response