diff -u Net_SSLeay.pm-1.20.orig/Makefile.old Net_SSLeay.pm-1.20/Makefile.old --- Net_SSLeay.pm-1.20.orig/Makefile.old Thu Aug 22 13:40:40 2002 +++ Net_SSLeay.pm-1.20/Makefile.old Sat Sep 7 11:03:24 2002 @@ -13,8 +13,8 @@ # DEFINE => q[] # DIR => [q[Net-SSLeay-Handle-0.50]] # DISTNAME => q[Net_SSLeay.pm] -# INC => q[-I/usr/local/openssl/include -I/usr/local/openssl/inc32] -# LIBS => [q[-L/usr/local/openssl -L/usr/local/openssl/lib -L/usr/local/openssl/out32dll -lssl -lcrypto]] +# INC => q[-I/usr/local/ssl/include -I/usr/local/ssl/inc32] +# LIBS => [q[-L/usr/local/ssl -L/usr/local/ssl/lib -L/usr/local/ssl/out32dll -lssl -lcrypto]] # NAME => q[Net::SSLeay] # OPTIMIZE => q[-O] # VERSION_FROM => q[SSLeay.pm] @@ -106,7 +106,7 @@ PARENT_NAME = Net DLBASE = $(BASEEXT) VERSION_FROM = SSLeay.pm -INC = -I/usr/local/openssl/include -I/usr/local/openssl/inc32 +INC = -I/usr/local/ssl/include -I/usr/local/ssl/inc32 DEFINE = OBJECT = $(BASEEXT)$(OBJ_EXT) LDFROM = $(OBJECT) @@ -282,10 +282,10 @@ # Net::SSLeay might depend on some other libraries: # See ExtUtils::Liblist for details # -EXTRALIBS = -L/usr/local/openssl -L/usr/local/openssl/lib -lssl -lcrypto -LDLOADLIBS = -L/usr/local/openssl -L/usr/local/openssl/lib -lssl -lcrypto +EXTRALIBS = -L/usr/local/ssl -L/usr/local/ssl/lib -lssl -lcrypto +LDLOADLIBS = -L/usr/local/ssl -L/usr/local/ssl/lib -lssl -lcrypto BSLOADLIBS = -LD_RUN_PATH = /usr/local/openssl/lib +LD_RUN_PATH = /usr/local/ssl/lib # --- MakeMaker const_cccmd section: Common subdirectories: Net_SSLeay.pm-1.20.orig/Net-SSLeay-Handle-0.50 and Net_SSLeay.pm-1.20/Net-SSLeay-Handle-0.50 diff -u Net_SSLeay.pm-1.20.orig/SSLeay.pm Net_SSLeay.pm-1.20/SSLeay.pm --- Net_SSLeay.pm-1.20.orig/SSLeay.pm Thu Aug 22 03:52:41 2002 +++ Net_SSLeay.pm-1.20/SSLeay.pm Sat Sep 7 12:12:56 2002 @@ -29,6 +29,11 @@ # Peter Behroozi --Sampo # 21.8.2002, Added SESSION_get_master_key, SSL_get_client_random, SSL_get_server_random # --mikem@open.com_.au +# 2.9.2002, Added SSL_CTX_get_cert_store, X509_STORE_add_cert, X509_STORE_add_crl +# X509_STORE_set_flags, X509_load_cert_file, X509_load_crl_file +# X509_load_cert_crl_file, PEM_read_bio_X509_CRL, +# constants for X509_V_FLAG_* in order to support certificate revocation lists. +# --mikem@open.com_.au # $Id: SSLeay.pm,v 1.18 2002/08/21 17:52:41 sampo Exp $ # # The distribution and use of this module are subject to the conditions @@ -297,6 +302,11 @@ VERIFY_PEER WRITING X509_LOOKUP + X509_V_FLAG_CB_ISSUER_CHECK + X509_V_FLAG_USE_CHECK_TIME + X509_V_FLAG_CRL_CHECK + X509_V_FLAG_CRL_CHECK_ALL + X509_V_FLAG_IGNORE_CRITICAL CTX_new CTX_v2_new CTX_v3_new @@ -375,6 +385,14 @@ X509_get_subject_name X509_NAME_oneline X509_NAME_get_text_by_NID + CTX_get_cert_store + X509_STORE_add_cert + X509_STORE_add_crl + X509_STORE_set_flags + X509_load_cert_file + X509_load_crl_file + X509_load_cert_crl_file + PEM_read_bio_X509_CRL die_if_ssl_error die_now print_errs @@ -696,6 +714,47 @@ "joe" and to the final web server as "susie". Proxy authentication requires MIME::Base64 module to work. +=head2 Certificate verification and Certificate Revoocation Lists (CRLs) + +OpenSSL supports the ability to verify peer certificates. Version 0.9.7 and later +can also optionally +check peer certificate against a Certificate Revocation List (CRL) from teh certificates +issuer. A CRL is a file, created by the certificate issuer that lists all the +certificates that ir previously signed, but which it now revokes. CRLs are in PEM format. + +With OpenSSL 0.9.7 and later, you can enable Net::SSLeay CRL checking like this: + + &Net::SSLeay::X509_STORE_set_flags + (&Net::SSLeay::CTX_get_cert_store($ssl), + &Net::SSLeay::X509_V_FLAG_CRL_CHECK); + +After setting this flag, if OpenSSL checks a peer's certificate, then it will attempt +to find a CRL for the issuer. It does this by looking for a specially named file in +the sercah directory specified by CTX_load_verify_locations. +CRL files are named with the hash of the issuers subject name, followed by .r0, .r1 etc. +For example ab1331b2.r0, ab1331b2.r1. It will read all the .r files for the issuer, +and then check for a revocation of the peer cerificate in all of them. +(You can also force it to look in a specific named CRL file., see below). +You can find out the hash of the issuer subject name in a CRL with + openssl crl -in crl.pem -hash -noout + +If the peer certificate does not pass the revocation list, or if no CRL is found, +then the handshaking fails with an error. + +You can also force OpenSSL to look for CRLs in one or more arbitrarily named files. + +my $bio = &Net::SSLeay::BIO_new_file($crlfilename, 'r'); +my $crl = &Net::SSLeay::PEM_read_bio_X509_CRL($bio); +if ($crl) +{ + &Net::SSLeay::X509_STORE_add_crl(&Net::SSLeay::CTX_get_cert_store($ssl, $crl); +} +else +{ + error reading CRL.... +} + + =head2 Convenience routines To be used with Low level API diff -u Net_SSLeay.pm-1.20.orig/SSLeay.xs Net_SSLeay.pm-1.20/SSLeay.xs --- Net_SSLeay.pm-1.20.orig/SSLeay.xs Thu Aug 22 03:52:42 2002 +++ Net_SSLeay.pm-1.20/SSLeay.xs Sat Sep 7 12:10:47 2002 @@ -32,6 +32,11 @@ * Peter Behroozi --Sampo * 21.8.2002, Added SESSION_get_master_key, SSL_get_client_random, SSL_get_server_random * --mikem@open.com_.au + * 2.9.2002, Added SSL_CTX_get_cert_store, X509_STORE_add_cert, X509_STORE_add_crl + * X509_STORE_set_flags, X509_load_cert_file, X509_load_crl_file + * X509_load_cert_crl_file, PEM_read_bio_X509_CRL + * constants for X509_V_FLAG_* + * --mikem@open.com_.au * * $Id: SSLeay.xs,v 1.11 2002/08/21 17:52:42 sampo Exp $ * @@ -1506,6 +1511,44 @@ #else goto not_there; #endif + + if (strEQ(name, "X509_V_FLAG_CB_ISSUER_CHECK")) +#ifdef X509_V_FLAG_CB_ISSUER_CHECK + return X509_V_FLAG_CB_ISSUER_CHECK; +#else + goto not_there; +#endif + + if (strEQ(name, "X509_V_FLAG_USE_CHECK_TIME")) +#ifdef X509_V_FLAG_USE_CHECK_TIME + return X509_V_FLAG_USE_CHECK_TIME; +#else + goto not_there; +#endif + if (strEQ(name, "X509_V_FLAG_CRL_CHECK")) +#ifdef X509_V_FLAG_CRL_CHECK + return X509_V_FLAG_CRL_CHECK; +#else + goto not_there; +#endif + if (strEQ(name, "X509_V_FLAG_CRL_CHECK_ALL")) +#ifdef X509_V_FLAG_CRL_CHECK_ALL + return X509_V_FLAG_CRL_CHECK_ALL; +#else + goto not_there; +#endif + if (strEQ(name, "X509_V_FLAG_IGNORE_CRITICAL")) +#ifdef X509_V_FLAG_IGNORE_CRITICAL + return X509_V_FLAG_IGNORE_CRITICAL; +#else + goto not_there; +#endif + if (strEQ(name, "")) +#ifdef SSL_X509_LOOKUP + return ; +#else + goto not_there; +#endif break; case 'Y': break; @@ -2395,6 +2438,46 @@ X509_STORE_CTX * x509_store_ctx X509 * x +int +X509_STORE_add_cert(ctx, x) + X509_STORE *ctx + X509 *x + +int +X509_STORE_add_crl(ctx, x) + X509_STORE *ctx + X509_CRL *x + +void +X509_STORE_set_flags(ctx, flags) + X509_STORE *ctx + long flags + CODE: +#ifdef X509_V_FLAG_CRL_CHECK + /* This is only in 0.9.7 and later */ + X509_STORE_set_flags(ctx, flags); +#else + not_here("X509_STORE_set_flags"); +#endif + +int +X509_load_cert_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + +int +X509_load_crl_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + +int +X509_load_cert_crl_file(ctx, file, type) + X509_LOOKUP *ctx + char *file + int type + ASN1_UTCTIME * X509_get_notBefore(cert) @@ -2641,6 +2724,10 @@ SSL_CTX * ctx X509_STORE * store +X509_STORE * +SSL_CTX_get_cert_store(ctx) + SSL_CTX * ctx + void SSL_CTX_set_cert_verify_callback(ctx,cb,arg) SSL_CTX * ctx @@ -3221,6 +3308,13 @@ BIO * bio void * x void * cb + void * u + +X509_CRL * +PEM_read_bio_X509_CRL(bio,x=NULL,cb=NULL,u=NULL) + BIO * bio + void * x + void * cb void * u void Common subdirectories: Net_SSLeay.pm-1.20.orig/examples and Net_SSLeay.pm-1.20/examples diff -u Net_SSLeay.pm-1.20.orig/makecert.err Net_SSLeay.pm-1.20/makecert.err --- Net_SSLeay.pm-1.20.orig/makecert.err Thu Aug 22 13:42:07 2002 +++ Net_SSLeay.pm-1.20/makecert.err Sat Sep 7 10:52:31 2002 @@ -1,6 +1,7 @@ +Using configuration from examples/req.conf Generating a 1024 bit RSA private key -....++++++ -..++++++ +.......++++++ +......++++++ unable to write 'random state' writing new private key to 'examples/key.pem' ----- @@ -11,4 +12,5 @@ For some fields there will be a default value, If you enter '.', the field will be left blank. ----- -Country Name (2 letter code) [PT]:State or Province Name (optional) []:Locality Name (eg, city) [Lisboa]:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (the name of your machine) []:Email Address []:writing RSA key +Country Name (2 letter code) [PT]:State or Province Name (optional) []:Locality Name (eg, city) [Lisboa]:Organization Name (eg, company) []:Organizational Unit Name (eg, section) []:Common Name (the name of your machine) []:Email Address []:read RSA key +writing RSA key diff -u Net_SSLeay.pm-1.20.orig/sslecho.log Net_SSLeay.pm-1.20/sslecho.log --- Net_SSLeay.pm-1.20.orig/sslecho.log Thu Aug 22 13:42:10 2002 +++ Net_SSLeay.pm-1.20/sslecho.log Sat Sep 7 11:03:50 2002 @@ -1,3 +1,113 @@ +private key `examples/key.pem' (No such file or directory) 28278: 1 - error:02001002:system library:fopen:No such file or directory +private key `examples/key.pem' (No such file or directory) 28278: 2 - error:20074002:BIO routines:FILE_CTRL:system lib +private key `examples/key.pem' (No such file or directory) 28278: 3 - error:140B3002:SSL routines:SSL_CTX_use_RSAPrivateKey_file:system lib +certificate `examples/cert.pem' (No such file or directory) 28278: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line +certificate `examples/cert.pem' (No such file or directory) 28278: 2 - error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib +key at examples/sslecho.pl line 45. +sslecho: Creating SSL context... +sslecho: Setting cert and RSA key... + got 11:0 bytes (VM=vm_unknown). + got 0:11 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 11:11 bytes (VM=vm_unknown) + got 7:0 bytes (VM=vm_unknown). + got 0:7 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 7:7 bytes (VM=vm_unknown) + got 13:0 bytes (VM=vm_unknown). + got 0:13 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 13:13 bytes (VM=vm_unknown) + got 16384:0 bytes (VM=vm_unknown). + got 16384:16384 bytes (VM=vm_unknown). + got 16384:32768 bytes (VM=vm_unknown). + got 16384:49152 bytes (VM=vm_unknown). + got 16384:65536 bytes (VM=vm_unknown). + got 16384:81920 bytes (VM=vm_unknown). + got 16384:98304 bytes (VM=vm_unknown). + got 16384:114688 bytes (VM=vm_unknown). + got 16384:131072 bytes (VM=vm_unknown). + got 16384:147456 bytes (VM=vm_unknown). + got 11:0 bytes (VM=vm_unknown). + got 0:11 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 11:11 bytes (VM=vm_unknown) + got 7:0 bytes (VM=vm_unknown). + got 0:7 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 7:7 bytes (VM=vm_unknown) + got 13:0 bytes (VM=vm_unknown). + got 0:13 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 13:13 bytes (VM=vm_unknown) + got 16384:0 bytes (VM=vm_unknown). + got 16384:16384 bytes (VM=vm_unknown). + got 16384:32768 bytes (VM=vm_unknown). + got 16384:49152 bytes (VM=vm_unknown). + got 16384:65536 bytes (VM=vm_unknown). + got 16384:81920 bytes (VM=vm_unknown). + got 16384:98304 bytes (VM=vm_unknown). + got 16384:114688 bytes (VM=vm_unknown). + got 16384:131072 bytes (VM=vm_unknown). + got 16384:147456 bytes (VM=vm_unknown). + got 16384:163840 bytes (VM=vm_unknown). + got 16384:180224 bytes (VM=vm_unknown). + got 16384:196608 bytes (VM=vm_unknown). + got 16384:212992 bytes (VM=vm_unknown). + got 16384:229376 bytes (VM=vm_unknown). + got 16384:245760 bytes (VM=vm_unknown). + got 16384:262144 bytes (VM=vm_unknown). + got 16384:278528 bytes (VM=vm_unknown). + got 16384:294912 bytes (VM=vm_unknown). + got 16384:311296 bytes (VM=vm_unknown). + got 16384:327680 bytes (VM=vm_unknown). + got 16384:344064 bytes (VM=vm_unknown). + got 16384:360448 bytes (VM=vm_unknown). + got 16384:376832 bytes (VM=vm_unknown). + got 16384:393216 bytes (VM=vm_unknown). + got 16384:409600 bytes (VM=vm_unknown). + got 16384:425984 bytes (VM=vm_unknown). + got 16384:442368 bytes (VM=vm_unknown). + got 16384:458752 bytes (VM=vm_unknown). + got 16384:475136 bytes (VM=vm_unknown). + got 16384:491520 bytes (VM=vm_unknown). + got 16384:507904 bytes (VM=vm_unknown). + got 16384:524288 bytes (VM=vm_unknown). + got 16384:540672 bytes (VM=vm_unknown). + got 16384:557056 bytes (VM=vm_unknown). + got 16384:573440 bytes (VM=vm_unknown). + got 16384:589824 bytes (VM=vm_unknown). + got 16384:606208 bytes (VM=vm_unknown). + got 16384:622592 bytes (VM=vm_unknown). + got 16384:638976 bytes (VM=vm_unknown). + got 16384:655360 bytes (VM=vm_unknown). + got 16384:671744 bytes (VM=vm_unknown). + got 16384:688128 bytes (VM=vm_unknown). + got 16384:704512 bytes (VM=vm_unknown). + got 16384:720896 bytes (VM=vm_unknown). + got 16384:737280 bytes (VM=vm_unknown). + got 16384:753664 bytes (VM=vm_unknown). + got 16384:770048 bytes (VM=vm_unknown). + got 16384:786432 bytes (VM=vm_unknown). + got 16384:802816 bytes (VM=vm_unknown). + got 16384:819200 bytes (VM=vm_unknown). + got 16384:835584 bytes (VM=vm_unknown). + got 16384:851968 bytes (VM=vm_unknown). + got 16384:868352 bytes (VM=vm_unknown). + got 16384:884736 bytes (VM=vm_unknown). + got 16384:901120 bytes (VM=vm_unknown). + got 16384:917504 bytes (VM=vm_unknown). + got 16384:933888 bytes (VM=vm_unknown). + got 16384:950272 bytes (VM=vm_unknown). + got 16384:966656 bytes (VM=vm_unknown). + got 16384:983040 bytes (VM=vm_unknown). + got 16384:999424 bytes (VM=vm_unknown). + got 16384:1015808 bytes (VM=vm_unknown). + got 16384:1032192 bytes (VM=vm_unknown). + got 0:1048576 bytes (VM=vm_unknown). + write_all VM at entry=vm_unknown + written so far 1048576:1048576 bytes (VM=vm_unknown) +bind: Address already in use (port=1212) at examples/sslecho.pl line 29. got 11:0 bytes (VM=vm_unknown). got 0:11 bytes (VM=vm_unknown). write_all VM at entry=vm_unknown diff -u Net_SSLeay.pm-1.20.orig/typemap Net_SSLeay.pm-1.20/typemap --- Net_SSLeay.pm-1.20.orig/typemap Sun May 26 12:24:37 2002 +++ Net_SSLeay.pm-1.20/typemap Mon Sep 2 14:31:25 2002 @@ -6,6 +6,8 @@ RSA * T_IV DH * T_IV X509 * T_IV +X509_CRL * T_IV +X509_LOOKUP * T_IV X509_NAME * T_IV BIO * T_IV BIO_METHOD * T_IV