1SSLeay(3) User Contributed Perl Documentation SSLeay(3)
2
6 Crypt::SSLeay - OpenSSL support for LWP
7
9 lwp-request https://www.example.com
10 use LWP::UserAgent;
12 my $ua = LWP::UserAgent->new;
13 my $req = HTTP::Request->new('GET', 'https://www.example.com/');
14 my $res = $ua->request($req);
15 print $res->content, "\n";
16
18 This document describes "Crypt::SSLeay" version 0.56, released
19 2007-07-10.
20 This perl module provides support for the https protocol under LWP, to
22 allow an "LWP::UserAgent" object to perform GET, HEAD and POST
23 requests. Please see LWP for more information on POST requests.
24 The "Crypt::SSLeay" package provides "Net::SSL", which is loaded by
26 "LWP::Protocol::https" for https requests and provides the necessary
27 SSL glue.
28 This distribution also makes following deprecated modules available:
30 Crypt::SSLeay::CTX
32 Crypt::SSLeay::Conn
33 Crypt::SSLeay::X509
34 Work on Crypt::SSLeay has been continued only to provide https support
36 for the LWP (libwww-perl) libraries.
37
39 The following environment variables change the way "Crypt::SSLeay" and
40 "Net::SSL" behave.
41 # proxy support
43 $ENV{HTTPS_PROXY} = 'http://proxy_hostname_or_ip:port';
44 # proxy_basic_auth
46 $ENV{HTTPS_PROXY_USERNAME} = 'username';
47 $ENV{HTTPS_PROXY_PASSWORD} = 'password';
48 # debugging (SSL diagnostics)
50 $ENV{HTTPS_DEBUG} = 1;
51 # default ssl version
53 $ENV{HTTPS_VERSION} = '3';
54 # client certificate support
56 $ENV{HTTPS_CERT_FILE} = 'certs/notacacert.pem';
57 $ENV{HTTPS_KEY_FILE} = 'certs/notacakeynopass.pem';
58 # CA cert peer verification
60 $ENV{HTTPS_CA_FILE} = 'certs/ca-bundle.crt';
61 $ENV{HTTPS_CA_DIR} = 'certs/';
62 # Client PKCS12 cert support
64 $ENV{HTTPS_PKCS12_FILE} = 'certs/pkcs12.pkcs12';
65 $ENV{HTTPS_PKCS12_PASSWORD} = 'PKCS12_PASSWORD';
66
68 OpenSSL
69 You must have OpenSSL or SSLeay installed before compiling this module.
71 You can get the latest OpenSSL package from:
72 http://www.openssl.org/
74 On Debian systems, you will need to install the libssl-dev package, at
76 least for the duration of the build (it may be removed afterwards).
77 Other package-based systems may require something similar. The key is
79 that Crypt::SSLeay makes calls to the OpenSSL library, and how to do so
80 is specified in the C header files that come with the library. Some
81 systems break out the header files into a separate package from that of
82 the libraries. Once the program has been built, you don't need the
83 headers any more.
84 When installing openssl make sure your config looks like:
86 ./config --openssldir=/usr/local/openssl
88 or
89 ./config --openssldir=/usr/local/ssl
90 If you are planning on upgrading the default OpenSSL libraries on a
92 system like RedHat, (not recommended), then try something like:
93 ./config --openssldir=/usr --shared
95 The --shared option to config will set up building the .so shared
97 libraries which is important for such systems. This is followed by:
98 make
100 make test
101 make install
102 This way Crypt::SSLeay will pick up the includes and libraries automat‐
104 ically. If your includes end up going into a separate directory like
105 /usr/local/include, then you may need to symlink
106 /usr/local/openssl/include to /usr/local/include
107 Crypt::SSLeay
109 The latest Crypt::SSLeay can be found at your nearest CPAN, as well as:
111 http://search.cpan.org/dist/Crypt-SSLeay/
113 Once you have downloaded it, Crypt::SSLeay installs easily using the
115 "make" * commands as shown below.
116 perl Makefile.PL
118 make
119 make test
120 make install
121 * use nmake or dmake on Win32
123 For unattended (batch) installations, to be absolutely certain that
125 Makefile.PL does not prompt for questions on STDIN, set the following
126 environment variable beforehand:
127 PERL_MM_USE_DEFAULT=1
129 (This is true for any CPAN module that uses "ExtUtils::MakeMaker").
131 Windows
133 "Crypt::SSLeay" builds correctly with Strawberry Perl.
135 For Activestate users, the ActiveState company does not have a permit
137 from the Canadian Federal Government to distribute cryptographic soft‐
138 ware. This prevents "Crypt::SSLeay" from being distributed as a PPM
139 package from their repository. See <http://aspn.actives‐
140 tate.com/ASPN/docs/ActivePerl/5.8/faq/ActivePerl-faq2.html#crypto_pack‐
141 ages> for more information on this issue.
142 You may download it from Randy Kobes's PPM repository by using the fol‐
144 lowing command:
145 ppm install http://theoryx5.uwinnipeg.ca/ppms/Crypt-SSLeay.ppd
147 An alternative is to add the uwinnipeg.ca PPM repository to your local
149 installation. See <http://cpan.uwinnipeg.ca/htdocs/faqs/ppm.html> for
150 more details.
151 VMS
153 It is assumed that the OpenSSL installation is located at "/ssl$root".
155 Define this logical to point to the appropriate place in the filesys‐
156 tem.
157
159 LWP::UserAgent and Crypt::SSLeay have their own versions of proxy sup‐
160 port. Please read these sections to see which one is appropriate.
161 LWP::UserAgent proxy support
163 LWP::UserAgent has its own methods of proxying which may work for you
165 and is likely to be incompatible with Crypt::SSLeay proxy support. To
166 use LWP::UserAgent proxy support, try something like:
167 my $ua = new LWP::UserAgent;
169 $ua->proxy([qw( https http )], "$proxy_ip:$proxy_port");
170 At the time of this writing, libwww v5.6 seems to proxy https requests
172 fine with an Apache mod_proxy server. It sends a line like:
173 GET https://www.example.com HTTP/1.1
175 to the proxy server, which is not the CONNECT request that some proxies
177 would expect, so this may not work with other proxy servers than
178 mod_proxy. The CONNECT method is used by Crypt::SSLeay's internal proxy
179 support.
180 Crypt::SSLeay proxy support
182 For native Crypt::SSLeay proxy support of https requests, you need to
184 set the environment variable "HTTPS_PROXY" to your proxy server and
185 port, as in:
186 # proxy support
188 $ENV{HTTPS_PROXY} = 'http://proxy_hostname_or_ip:port';
189 $ENV{HTTPS_PROXY} = '127.0.0.1:8080';
190 Use of the "HTTPS_PROXY" environment variable in this way is similar to
192 "LWP::UserAgent-"env_proxy()> usage, but calling that method will
193 likely override or break the Crypt::SSLeay support, so do not mix the
194 two.
195 Basic auth credentials to the proxy server can be provided this way:
197 # proxy_basic_auth
199 $ENV{HTTPS_PROXY_USERNAME} = 'username';
200 $ENV{HTTPS_PROXY_PASSWORD} = 'password';
201 For an example of LWP scripting with "Crypt::SSLeay" native proxy sup‐
203 port, please look at the eg/lwp-ssl-test script in the "Crypt::SSLeay"
204 distribution.
205
207 Client certificates are supported. PEM0encoded certificate and private
208 key files may be used like this:
209 $ENV{HTTPS_CERT_FILE} = 'certs/notacacert.pem';
211 $ENV{HTTPS_KEY_FILE} = 'certs/notacakeynopass.pem';
212 You may test your files with the eg/net-ssl-test program, bundled with
214 the distribution, by issuing a command like:
215 perl eg/net-ssl-test -cert=certs/notacacert.pem \
217 -key=certs/notacakeynopass.pem -d GET $HOST_NAME
218 Additionally, if you would like to tell the client where the CA file
220 is, you may set these.
221 $ENV{HTTPS_CA_FILE} = "some_file";
223 $ENV{HTTPS_CA_DIR} = "some_dir";
224 There is no sample CA cert file at this time for testing, but you may
226 configure eg/net-ssl-test to use your CA cert with the -CAfile option.
227 (TODO: then what is the ./certs directory in the distribution?)
228 Creating a test certificate
230 To create simple test certificates with OpenSSL, you may run the fol‐
232 lowing command:
233 openssl req -config /usr/local/openssl/openssl.cnf \
235 -new -days 365 -newkey rsa:1024 -x509 \
236 -keyout notacakey.pem -out notacacert.pem
237 To remove the pass phrase from the key file, run:
239 openssl rsa -in notacakey.pem -out notacakeynopass.pem
241 PKCS12 support
243 The directives for enabling use of PKCS12 certificates is:
245 $ENV{HTTPS_PKCS12_FILE} = 'certs/pkcs12.pkcs12';
247 $ENV{HTTPS_PKCS12_PASSWORD} = 'PKCS12_PASSWORD';
248 Use of this type of certificate takes precedence over previous certifi‐
250 cate settings described. (TODO: unclear? Meaning "the presence of this
251 type of certificate??)
252
254 Crypt::SSLeay tries very hard to connect to any SSL web server accomo‐
255 dating servers that are buggy, old or simply not standards-compliant.
256 To this effect, this module will try SSL connections in this order:
257 SSL v23 - should allow v2 and v3 servers to pick their best type
259 SSL v3 - best connection type
260 SSL v2 - old connection type
261 Unfortunately, some servers seem not to handle a reconnect to SSL v3
263 after a failed connect of SSL v23 is tried, so you may set before using
264 LWP or Net::SSL:
265 $ENV{HTTPS_VERSION} = 3;
267 to force a version 3 SSL connection first. At this time only a version
269 2 SSL connection will be tried after this, as the connection attempt
270 order remains unchanged by this setting.
271
273 Many thanks to Gisle Aas for writing this module and many others
274 including libwww, for perl. The web will never be the same :)
275 Ben Laurie deserves kudos for his excellent patches for better error
277 handling, SSL information inspection, and random seeding.
278 Thanks to Dongqiang Bai for host name resolution fix when using a
280 proxy.
281 Thanks to Stuart Horner of Core Communications, Inc. who found the need
283 for building --shared OpenSSL libraries.
284 Thanks to Pavel Hlavnicka for a patch for freeing memory when using a
286 pkcs12 file, and for inspiring more robust read() behavior.
287 James Woodyatt is a champ for finding a ridiculous memory leak that has
289 been the bane of many a Crypt::SSLeay user.
290 Thanks to Bryan Hart for his patch adding proxy support, and thanks to
292 Tobias Manthey for submitting another approach.
293 Thanks to Alex Rhomberg for Alpha linux ccc patch.
295 Thanks to Tobias Manthey for his patches for client certificate sup‐
297 port.
298 Thanks to Daisuke Kuroda for adding PKCS12 certificate support.
300 Thanks to Gamid Isayev for CA cert support and insights into error mes‐
302 saging.
303 Thanks to Jeff Long for working through a tricky CA cert SSLClientVer‐
305 ify issue.
306 Thanks to Chip Turner for patch to build under perl 5.8.0.
308 Thanks to Joshua Chamas for the time he spent maintaining the module.
310 Thanks to Jeff Lavallee for help with alarms on read failures (CPAN bug
312 #12444).
313
315 Net::SSL
316 If you have downloaded this distribution as of a dependency of
317 another distribution, it's probably due to this module (which is
318 included in this distribution).
319 Net::SSLeay
321 A module that offers access to the OpenSSL API directly from Perl.
322 http://search.cpan.org/dist/Net_SSLeay.pm/
324 http://www.openssl.org/related/binaries.html
326 Pointers on where to find OpenSSL binary packages (Windows).
327
329 For use of Crypt::SSLeay & Net::SSL with perl's LWP, please send email
330 to "libwww@perl.org".
331 For OpenSSL or general SSL support please email the openssl user mail‐
333 ing list at "openssl-users@openssl.org". This includes issues associ‐
334 ated with building and installing OpenSSL on one's system.
335 Please report all bugs at
337 <http://rt.cpan.org/NoAuth/Bugs.html?Dist=Crypt-SSLeay>.
338 This module was originally written by Gisle Aas, and was subsequently
340 maintained by Joshua Chamas. It is currently maintained by David Land‐
341 gren.
342
344 Copyright (c) 2006-2007 David Landgren.
345 Copyright (c) 1999-2003 Joshua Chamas.
346 Copyright (c) 1998 Gisle Aas.
347 This program is free software; you can redistribute it and/or modify it
349 under the same terms as Perl itself.
350perl v5.8.8 2007-05-19 SSLeay(3)