How to verify self-signed certificate? - perl

I use Net::Jabber::Client to send messages via XMPP.
The server I am connecting to uses self-signed certificate:
DEBUG: .../IO/Socket/ new ctx 45728400
DEBUG: .../IO/Socket/ start handshake
DEBUG: .../IO/Socket/ ssl handshake not started
DEBUG: .../IO/Socket/ using SNI with hostname
DEBUG: .../IO/Socket/ request OCSP stapling
DEBUG: .../IO/Socket/ set socket to non-blocking to enforce timeout=10
DEBUG: .../IO/Socket/ call Net::SSLeay::connect
DEBUG: .../IO/Socket/ done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ ssl handshake in progress
DEBUG: .../IO/Socket/ waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/ socket ready, retrying connect
DEBUG: .../IO/Socket/ call Net::SSLeay::connect
DEBUG: .../IO/Socket/ did not get stapled OCSP response
DEBUG: .../IO/Socket/ ok=0 [0] /
DEBUG: .../IO/Socket/ done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ SSL connect attempt failed
DEBUG: .../IO/Socket/ local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/ fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/ downgrading SSL only, not closing socket
DEBUG: .../IO/Socket/ free ctx 45728400 open=
DEBUG: .../IO/Socket/ free ctx 45728400 callback
DEBUG: .../IO/Socket/ OK free ctx 45728400
I have found that I can pass SSL_fingerprint and/or SSL_verifycn_name to pass verification of self-signed certificate.
To make it just work I hack this
my %ssl_params = (
SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
SSL_hostname => '',
SSL_verifycn_name => '',
without success =(
I try to use ->get_fingerprint to obtain finger print and pass it to SSL_fingerprint parameter, but:
) or die "$IO::Socket::SSL::SSL_ERROR";
fail with error:
SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at
Which option to pass to IO::Socket::SSL to verify self-signed certificate?

Using the fingerprint is probably the easiest way to verify a self-signed certificate which is in your own control. When using SSL_fingerprint it will not care about any other kind of validations, i.e. not check the name, revocation, expiration etc anymore - so if you want to have checks for this too you should not use SSL_fingerprint.
Getting the fingerprint of a site can be done by connecting to the site once without validation (since you have no trust in the certificate yet) and getting the fingerprint or by getting the fingerprint from the certificate directly.
To get the fingerprint by asking the server, assuming that the connection is not intercepted so that you get the correct fingerprint:
use IO::Socket::SSL;
print IO::Socket::SSL->new(
PeerHost => '',
# switch off validation since the certificate is not trusted yet
SSL_verify_mode => SSL_VERIFY_NONE,
This currently gives sha256$642de54d84c30494157f53f657bf9f89b4ea6c8b16351fd7ec258d556f821040 which can be directly used as argument for SSL_fingerprint.
If you have instead the certificate for the site already you can compute the fingerprint directly on it:
# get the certificate
$ openssl s_client -connect -servername
# take this PEM certificate and get fingerprint
$ openssl x509 -fingerprint -sha256 -noout -in cert.pem
SHA256 Fingerprint=64:2D:E5:4D:84:C3:04:94:15:7F:53:F6:57:BF:9F:89:B4:EA:6C:8B:16:35:1F:D7:EC:25:8D:55:6F:82:10:40
The shown fingerprint is practically the same as before, only written in a different way. By removing all ':' (which are only there for readability) one gets 642DE5....1040 and by prefixing it with the used hash algorithm sha256 one gets something to be usable in SSL_fingerprint: sha256$642DE5...1040.
To use the fingerprint then to connect to the site:
my $cl = IO::Socket::SSL->new(
PeerHost => '',
SSL_fingerprint => 'sha256$642DE5...1040'

IO::Socket::SSL can verify self signed certificate only if it trusts the certificate authority file that you use to self sign the certificate.
I think you need to pass proper SSL_ca_file or SSL_ca_path to IO::Socket::SSL so that certificate authority file is accessible to it. This is the first thing mentioned in common usage errors section of IO::Socket::SSL docs.

Typically this occurs when encrypting via localhost, where a certificate per se hardly plays a role.
Modules that involve IO::Socket::SSL can be used with an additional parameter to prevent crashing with "certificate verify failed".
To solve that issue in the long-term, at the top, add this line:
use IO::Socket::SSL qw(SSL_VERIFY_NONE);
$smtp = Net::SMTPS->new('localhost',
doSSL => 'starttls',
Port => 587,
SSL_verify_mode => SSL_VERIFY_NONE


perl IO::Socket::SSL SSL connect attempt failed

on i start io::socket::ssl tls conncetion
my example it is work with google and facebook but it is not work with sip tls server
that is sip tls server
I am having trouble skipping the certificate
use IO::Socket::SSL;
sub start_connection{
my #parms = #_;
my $host = $parms[0];
my $sock = IO::Socket::SSL->new(
PeerAddr => $host,
SSL_startHandshake => 0,
) or die $!;
$sock->connect_SSL() or die $SSL_ERROR;
print "Good Connection"
on i setart conncet i have this error
SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed at line 14
You are using a self-signed certificate here. IO::Socket::SSL by default checks that the certificate can be trusted and a self-signed certificate cannot be trusted unless explicitly known by the client. While you could simply disable certificate validation this would basically disable any meaningful security since some man in the middle attacker could impersonate the real server without the client noticing it.
The best way would probably to get a certificate signed by a publicly trusted CA, like Let's Encrypt. If you insist on using a self-signed certificate though you might specifically trust this certificate by using the SSL_fingerprint option.
To get the necessary certificate fingerprint:
$ echo | openssl s_client -connect |\
openssl x509 -noout -fingerprint
SHA1 Fingerprint=CE:68:62:68:30:EA:F4:64:82:F5:5C:B7:FB:F4:DA:1B:77:88:9F:DD
Then to use this fingerprint with IO::Socket::SSL
my $sock = IO::Socket::SSL->new(
PeerAddr => '',
SSL_fingerprint => 'sha1$CE68626830EAF46482F55CB7FBF4DA1B77889FDD'
) or die $SSL_ERROR;

Override DNS For Specific Domains Like A Hosts File, But Without Using Hosts file

I need to issue a series of parallelized web requests from the same server to a specific domain, but control what IP address these requests actually go to. Originally, I came up with a scheme where I would request the IP I wanted specifically, and then manually set the Host: header on the request, and use a series of handlers to make sure that redirects issued followed the same pattern.
This seemed to work for some time, but lately I've been having trouble with redirects to HTTPS. The handshake will fail, and the request in turn. I have tried disabling SSL verification in a variety of ways, including:
local $ENV{ HTTPS_DEBUG } = 1;
SSL_ca_file => Mozilla::CA::SSL_ca_file(),
verify_hostname => 0,
SSL_verify_mode => 0x00,
SSL_verifycn_scheme => 'www',
SSL_verify_mode => 0,
I have also tried using LWP::UserAgent::DNS::Hosts to solve the problem, but it persists.
<edit>I should note that the reason why turning off peer validation for SSL is not solving the problem is likely because for some reason requesting this way is actually causing the handshake to fail, not failing on a validation point.</edit>
One thing that works is making an entry in /etc/hosts to point the domain at the appropriate IP, however this is not practical, because I may need to run tens, or hundreds, of tests, in parallel, on the same domain.
Is there a way to emulate the functionality of adding an entry to /etc/hosts that does not involve requesting the IP specifically and overriding the Host: ... HTTP header?
EDIT: SSL Debug Info
DEBUG: .../IO/Socket/ new ctx 140288835318480
DEBUG: .../IO/Socket/ socket not yet connected
DEBUG: .../IO/Socket/ socket connected
DEBUG: .../IO/Socket/ ssl handshake not started
DEBUG: .../IO/Socket/ not using SNI because hostname is unknown
DEBUG: .../IO/Socket/ set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ ssl handshake in progress
DEBUG: .../IO/Socket/ waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/ socket ready, retrying connect
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ SSL connect attempt failed with unknown error
DEBUG: .../IO/Socket/ fatal SSL error: SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG: .../IO/Socket/ free ctx 140288835318480 open=140288835318480
DEBUG: .../IO/Socket/ free ctx 140288835318480 callback
DEBUG: .../IO/Socket/ OK free ctx 140288835318480
And in the response I get:
Can't connect to
SSL connect attempt failed with unknown error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure at /System/Library/Perl/Extras/5.18/LWP/Protocol/ line 51.
It fails equally well on our server (using an older legacy version of Perl, which I will not disclose here as it seems irrelevant).
The server initially responds to a non-HTTPS request with a 301 redirect to the HTTPS site. Then the failure occurs. I will post reproducing code with the specific details of my request removed, but any site which redirects non-HTTPS traffic to HTTPS should suffice.
use IO::Socket::SSL qw/ debug4 /;
use LWP::UserAgent;
use LWP::UserAgent::DNS::Hosts;
use HTTP::Request;
use Mozilla::CA;
use Data::Dumper;
'' => '', # no I am not redirecting to loopback in reality, this is anonymized
'' => '',
my $ua = LWP::UserAgent->new;
$ua->ssl_opts( SSL_ca_file => Mozilla::CA::SSL_ca_file() );
my $request = HTTP::Request->new(GET => '');
my $response = $ua->request($request);
print $response->content; #Dumper ( $response->is_success ? $response->headers : $response );
Again, that is not the production code, just enough code to reproduce the issue. It doesn't seem to have anything to do with SSL verification, but moreover an inability to negotiate the request, presumably because LWP::UserAgent::DNS::Hosts is doing exactly what I was doing: changing the request target to the desired IP, and then writing the Host: ... header manually. Why this causes the SSL handshake to fail, I do not know.
On my local machine debugging
openssl version -a: 1.0.2j 26 Sep 2016
IO::Socket::SSL->VERSION == 1.966
Net::SSLeay->VERSION == 1.72
On a server of ours
openssl version -a: 1.0.1t 3 May 2016
IO::Socket::SSL->VERSION == 1.76
Net::SSLeay->VERSION == 1.48
Given that it works with an explicit /etc/hosts file but not with just replacing PeerAddr or using LWP::UserAgent::DNS::Hosts this looks like a problem with the SNI extension. This TLS extension is used to provide the TLS server with the requested hostname (similar to the HTTP Host header) so that it can choose the appropriate certificate. If this SNI extension is missing some servers return a default certificate while others throw an error, like in this case.
The fix is to provide the hostname using SSL_hostname in ssl_opts. Such fix could probably also help with LWP::UserAgent::DNS::Hosts, i.e in LWP/Protocol/https/
12 if (my $peer_addr = LWP::UserAgent::DNS::Hosts->_registered_peer_addr($host)) {
13 push #opts, (
14 PeerAddr => $peer_addr,
15 Host => $host,
16 SSL_verifycn_name => $host,
NEW SSL_hostname => $host, # for SNI
17 );
18 }

Net::LDAPS throws unknown error during SSL connect

I am trying to connect to an LDAP server using the Net::LDAPS module. I am passing the right username, password and capath to it. The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.
The sample code I am working with :
my $ad_host = 'XYZ';
my $ad_port = 636;
my $ad_user = 'ABC';
my $ad_pass = '****';
my $ca_path = '<path to ca cert>';
my $ldap = Net::LDAPS->new(
port => $ad_port,
verify => 'require',
capath => $ca_path
Is it a known bug in the LDAPS module? Or am I missing out something apparent.
The debug logs:
DEBUG: .../IO/Socket/ set domain to 2
DEBUG: .../IO/Socket/ new ctx 21295632
DEBUG: .../IO/Socket/ socket not yet connected
DEBUG: .../IO/Socket/ socket connected
DEBUG: .../IO/Socket/ ssl handshake not started
DEBUG: .../IO/Socket/ set socket to non-blocking to enforce timeout=120
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ ssl handshake in progress
DEBUG: .../IO/Socket/ waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/ socket ready, retrying connect
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ ssl handshake in progress
DEBUG: .../IO/Socket/ waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/ socket ready, retrying connect
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/ SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/ fatal SSL error: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/ free ctx 21295632 open=21295632
DEBUG: .../IO/Socket/ OK free ctx 21295632
DEBUG: .../IO/Socket/ IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)
Versions of the modules I am using :
...:~/test_perl$ perlmodver Net::LDAPS
...:~/test_perl$ perlmodver Net::LDAP
...:~/test_perl$ perlmodver IO::Socket::SSL
If you look at the error you can see that certificate verification failed.
SSL connect attempt failed with unknown error..error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
You can either correct the certificate or ignore certificate verification by passing
verify => 'none'
On a sidenote, you can also use Net::LDAP if you pass ldaps:// as a prefix to $ad_host.
$ldaps = Net::LDAP->new('ldaps://',
verify => 'require',
capath => $ca_path);
Oops just noticed that you said
The same code with all the modules in the same version works on one of
my other machines. But on this particular machine I see this error.
Then this looks like a configuration issue. Can you connect to your server using ldapsearch?
This issue is resolved.
There are 2 ways to solve this :
Bypass the verification (Not recommended)
If you are using the "verify" attribute like the one in my code, you just have to comment it out. It will bypass the cert verification.
Add a soft link to the certificates
Maybe it is a behavior specific to trusty, because on lucid it was working fine. So, you need to create a soft link to all your pem files and place it in the CA Path. You can do this by running
ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

Trust self-signed certificate for Email::Sender::Transport::SMTPS in perl

Trying to use Email::Sender::Transport::SMTPS for sending email. My transport is:
my $transport = Email::Sender::Transport::SMTPS->new({
host => $smtpserver,
ssl => 'starttls',
sasl_username => $smtpuser,
sasl_password => $smtppassword,
debug => 1,
When trying send the email, the debug says:
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 250-SIZE 52428800
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 250-8BITMIME
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 250-PIPELINING
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 250-STARTTLS
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 250 HELP
Net::SMTPS=GLOB(0x7f893b2b00f0)>>> STARTTLS
Net::SMTPS=GLOB(0x7f893b2b00f0)<<< 220 TLS go ahead
DEBUG: .../IO/Socket/ local error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
DEBUG: .../IO/Socket/ fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
unable to establish SMTP connection
Probably because the server using self-signed certificate. (When using the same setting in the Thunderbird it is needed to add the "trust this certificate" setting.)
The question is: How to add the "trust this certificate" for the Email::Sender::Transport::SMTPS - thus allow sending email.
There is no direct way to give Email::Sender::Transport::SMTPS SSL specific arguments. But, since ultimately IO:Socket::SSL is used you can hack your way around this limitation. From the man page:
This is a list of typical errors seen with the use of IO::Socket::SSL:. ....
Make SSL settings inacessible by the user, together with bad builtin settings.
Some modules use IO::Socket::SSL, but don't make the SSL settings available to the user. This is often combined with bad builtin settings or defaults (like switching verification off). Thus the user needs to hack around these restrictions by using set_args_filter_hack or similar.
Thus what you could do is
IO::Socket::SSL::set_args_filter_hack( sub {
my ($is_server,$args) = #_;
$args->{SSL_fingerprint} = 'sha1$437104....'
With this option you could make certificate pinning trust a certificate as long as it's fingerprint matches the given one. You can get the fingerprint for instance with:
openssl s_client -connect -starttls smtp |\
openssl x509 -fingerprint -noout
Alternative ways would be to use the certificate as trusted with the SSL_ca_file option. You could also set SSL_verify_mode to 0 (SSL_VERFY_NONE) but since this disables any kind of validation you should only use this for testing.
Please note that set_args_filter_hack is global, that is it affects all IO::Socket::SSL objects in your program. Thus depending on the program you should only set it directly before you establish the connection with Email::Sender::Transport::SMTPS and reset it immediately afterwards.
For more information about these options please read the documentation of IO::Socket::SSL.
You can control the SSL usage with the options of new() constructor method
IN Email/Sender/Transport/
# compatible
my $ssl = $self->ssl;
$ssl = 'ssl' if $self->ssl and $self->ssl ne 'starttls';
return (
Port => $self->port,
Timeout => $self->timeout,
defined $ssl ? (doSSL => $ssl) : (),
defined $self->helo ? (Hello => $self->helo) : (),
defined $self->localaddr ? (LocalAddr => $self->localaddr) : (),
defined $self->localport ? (LocalPort => $self->localport) : (),
defined $self->debug ? (Debug => $self->debug) : (),
EDIT: This is really bad, because as per comments you trust everything. Instead if on linux/*nix
cat tobetrusted.crt >> /etc/ssl/cert.pem

PerL SSL connect attempt failed because of handshake problems

I'm hoping someone can help, I'm using the nagios plugin check_ilo2_health, the plugin works fine on our OpenSuSE systems but the new Ubuntu 14.04 system has issues, removing the nagios stuff and running perl, is basically this:
perl -e 'use IO::Socket::SSL qw(debug3);IO::Socket::SSL->new(SSL_hostname => "", PeerAddr=>"", Proto=>"tcp",SSL_verify_mode => SSL_VERIFY_NONE)or die $!'
I'm connecting to an HP ILO2 with a self signed certificate and get a reply:
DEBUG: .../IO/Socket/ new ctx 19182624
DEBUG: .../IO/Socket/ socket not yet connected
DEBUG: .../IO/Socket/ socket connected
DEBUG: .../IO/Socket/ ssl handshake not started
DEBUG: .../IO/Socket/ not using SNI because hostname is unknown
DEBUG: .../IO/Socket/ Net::SSLeay::connect -> 0
DEBUG: .../IO/Socket/ connection failed - connect returned 0
DEBUG: .../IO/Socket/ SSL connect attempt failed because of handshake problems
DEBUG: .../IO/Socket/ free ctx 19182624 open=19182624
DEBUG: .../IO/Socket/ OK free ctx 19182624
IO::Socket::SSL: SSL connect attempt failed because of handshake problems error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac ...propagated at -e line 1.
If I run it in curl:
curl "" --insecure
It works returning the page from the ILO.
I want to tell perl or openSSL to ignore any certificate problems as this is a monitoring system and a lot of the servers use self signed certificates.
Any ideas of what can be done?
Perl Version: This is perl 5, version 18, subversion 2 (v5.18.2) built for x86_64-linux-gnu-thread-multi
Crypt::SSLeay 0.72
IO::Socket::SSL 1.997
Net::SSLeay 1.66
Thanks in advance
I want to tell perl or openSSL to ignore any certificate problems as this is a monitoring system and a lot of the servers use self signed certificates.
You are doing it correctly, that is by using SSL_verify_mode of SSL_VERIFY_NONE.
IO::Socket::SSL: SSL connect attempt failed because of handshake problems error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac ...propagated at -e line 1.
Strange, but I've seen other reports with "HP ILO2" and bad_record_mac.
Try to reduce the version to SSL 3.0, e.g. SSL_version => "SSLv3".
But because SSL 3.0 would not be a satisfactory solution because of POODLE I would be interested to have a look at the working SSL handshake from curl (upload to
The same error happens with Net::LDAP (which also uses IO::Socket::SSL) when connecting to a server that only supports SSLv2.
IO::Socket::SSL "auto-negotiates between SSLv2 and SSLv3" by default according to man page, so omitting SSL_version allows scripts to work with older servers.
Or, more optimistically, the script will still work when the administrator gets around to upgrading the server!