I want to use server certificate when connecting with IO::Socket::SSL client.
What I did is to extract certificate first,
openssl s_client -showcerts -connect 127.0.0.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/localhost.crt
-----BEGIN CERTIFICATE-----
MIID1jCCAr6gAwIBAgICBH8wDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRAwDgYDVQQDDAdiaWdnZXIyMRswGQYJKoZIhvcNAQkBFgxyb290QGJpZ2dl
cjIwHhcNMTYwODA0MDUyMTA5WhcNMTcwODA0MDUyMTA5WjCBnzELMAkGA1UEBhMC
LS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwIU29tZUNpdHkxGTAXBgNV
BAoMEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsMFlNvbWVPcmdhbml6YXRpb25h
bFVuaXQxEDAOBgNVBAMMB2JpZ2dlcjIxGzAZBgkqhkiG9w0BCQEWDHJvb3RAYmln
Z2VyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSJplghG5oD5FhU
1v9IkE8z0k/7g1W29GhUXwf7IKzzjplIgpsZ+Ya/OtDbIctSYZ3gNEMyj+LdlvEW
6rCDCSTULPWwdjuSdHmUiFyeJm+QBtnMIp9I3P7zPCd+W9Cyhue911tXCHiQMg+E
ZNi2WlqnBGf/5l6VFRVMxQTEbTRiTPaH9VFnuyCKcJTk9ephZmZRgfeNmXT7BRjG
nmsYa0jG2rh2UmJGQrJhZOZYmghbq1BL66m7yCxfknsjTHGfy7PS/c+K83fPVI0p
bcBgl0VCA7d8TX6xj4BwMec7nwdi95ISVAG3jjL11+lrlcg6UGs+bd+NVpd1PbVY
XwVcWu8CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
AQELBQADggEBAFkWi/C8UlEqXPO0aDrn78teYzh3D0BIuhB4vawDSUuz68Clq41u
bMLIbdWZS244NFLeWAYJf4k0WDk7/nz5pxWLqlDg4LumZxNOUeSWUSbantRn6NnQ
rJrWZi6gJFgeC/34t3k+XvtmbDl5a2L213TxOtnSZJty/ZxUr3v3Z3Dp5+kfTAyR
xlD/gOlAEHgrOjwv1XofVb5pALPjzGj9gAfe/bpMEG4GORgtJzFz/teugL4yZ4Mk
sk6BhIBd1hTWJXUfvH6GPaoieug46CAkolmvc0q2nfMiU+hZOkDE1rtyqS5XMF5t
O2nma+wuMF6z/naEXFPq65sFOHI8vz+oEaQ=
-----END CERTIFICATE-----
and then connect using ssl_client.pl from examples folder,
ssl_client.pl -d10 --ca /tmp/localhost.crt localhost:443
DEBUG: .../IO/Socket/SSL.pm:2757: new ctx 17132992
DEBUG: .../IO/Socket/SSL.pm:643: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:645: socket connected
DEBUG: .../IO/Socket/SSL.pm:667: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:700: using SNI with hostname localhost
DEBUG: .../IO/Socket/SSL.pm:735: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:769: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2658: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2611: ok=0 [0] /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2
DEBUG: .../IO/Socket/SSL.pm:772: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:775: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:775: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:778: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...inux/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::INET configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2779: free ctx 17132992 open=17132992
DEBUG: .../IO/Socket/SSL.pm:2784: free ctx 17132992 callback
DEBUG: .../IO/Socket/SSL.pm:2791: OK free ctx 17132992
failed to connect to localhost:443: ,SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ssl_client.pl line 52.
This doesn't work as expected, so please suggest how to properly verify server using locally stored certificate.
While your certificate is self-signed (i.e. signed by itself) it is not a CA:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Because it is not a CA it is not allowed to be used as an issuer of a certificate and thus can in theory not even be used to sign itself.
This is at least the logic implemented in OpenSSL (and thus Net::SSLeay, IO::Socket::SSL). Other implementations like NSS seem to work with such certificates probably because they check if the server certificate itself is explicitly trusted. Such a check is different from only checking if it is signed by a trusted CA which is done by using the SSL_ca* options in IO::Socket::SSL (or -CAfile, -CApath arguments in openssl s_client).
Explicitly trusting a specific certificate no matter if it is self-signed, expired, revoked or whatever can be done in IO::Socket::SSL by using the SSL_fingerprint option.
Note that debugging IO::Socket::SSL in this case does not help a lot since the logic in this case is implemented in OpenSSL. There is some small indicator where it is going wrong:
DEBUG: ... ok=0 [0] .../CN=bigger2/emailAddress=root#bigger2 .../CN=bigger2/emailAddress=root#bigger2
This debug statement is called from the verification callback. ok=0 [0] indicates that this callback was called with ok=0 at level certificate level 0, i.e. that the built-in validation of OpenSSL did not consider this certificate as valid.
Related
I have three node MongoDB cluster in GCP kubernetes cluster following [1], [2]. I can properly connect with tls=false using mongosh client. Then I enabled tls following [3]. Mongo cluster start properly but I cannot connect from mongosh.
Following is the connection details.
{
"connectionString.standard": "mongodb://mongo-user:stl-m0ng0-dev#mongodb-dev-0.mongodb-dev-svc.dev.svc.cluster.local:27017,mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local:27017,mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local:27017/dev?replicaSet=mongodb-dev&ssl=true",
"connectionString.standardSrv": "mongodb+srv://mongo-user:stl-m0ng0-dev#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=true",
"password": "xxxxxxx",
"username": "mongo-user"
}
Followings are the certificate details.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
Validity
Not Before: Jul 27 09:07:50 2022 GMT
Not After : Jul 24 09:07:50 2032 GMT
Subject: CN = *.mongodb-dev-svc.dev.svc.cluster.local, O = client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c4:44:a6:21:95:85:9a:dc:96:63:8e:76:ed:d9:
3a:59
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-3.mongodb-dev-svc.dev.svc.cluster.local
Signature Algorithm: sha256WithRSAEncryption
7b:78:43:73:ae:2f:ce:97:de:b2:19:56:4c:38:71:8e:3d:ff:
5b:15:79:c1
Will display server certificate info
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = TLSGenSelfSignedtRootCA, L = $$$$
Validity
Not Before: Jul 27 09:07:50 2022 GMT
Not After : Jul 24 09:07:50 2032 GMT
Subject: CN = *.mongodb-dev-svc.dev.svc.cluster.local, O = server
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bc:1e:4a:a7:4f:c4:01:71:2c:78:eb:ac:c9:53:
24:c1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Subject Alternative Name:
DNS:mongodb-dev-0.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local, DNS:mongodb-dev-2.mongodb-dev-svc.dev.svc.cluster.local
Signature Algorithm: sha256WithRSAEncryption
16:0f:09:02:66:05:69:7b:91:3b:93:73:86:64:d5:8f:53:2d:
08:19:68:a7
Client side has following error
root#xxxxxxxxxxxxxxxxxx-55955c9fcd-bpp98:/usr/src/app# mongosh "mongodb+srv://mongo-user:stl-m0ng0-dev#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=false&tlsCAFile=ca.pem&tlsCertificateKeyFile=key.pem"
Current Mongosh Log ID: 62e1029487b960f1bd204b1d
Connecting to: mongodb+srv://<credentials>#mongodb-dev-svc.dev.svc.cluster.local/dev?replicaSet=mongodb-dev&ssl=false&tlsCAFile=ca.pem&tlsCertificateKeyFile=key.pem&appName=mongosh+1.5.1
MongoServerSelectionError: connection <monitor> to 10.120.6.8:27017 closed
Server side has following error
2022-07-27T09:25:44.992+0000 I NETWORK [conn25852] end connection 10.120.6.9:33914 (14 connections now open)
2022-07-27T09:25:44.993+0000 I NETWORK [listener] connection accepted from 10.120.6.9:33918 #25855 (15 connections now open)
2022-07-27T09:25:44.993+0000 E NETWORK [conn25854] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:44.994+0000 I NETWORK [conn25854] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58220 (connection id: 25854)
2022-07-27T09:25:44.994+0000 I NETWORK [conn25854] end connection 10.120.8.127:58220 (14 connections now open)
2022-07-27T09:25:44.995+0000 I NETWORK [listener] connection accepted from 10.120.8.127:58224 #25856 (15 connections now open)
2022-07-27T09:25:44.998+0000 E NETWORK [conn25855] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:44.998+0000 I NETWORK [conn25855] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.6.9:33918 (connection id: 25855)
2022-07-27T09:25:44.998+0000 I NETWORK [conn25855] end connection 10.120.6.9:33918 (14 connections now open)
2022-07-27T09:25:45.000+0000 E NETWORK [conn25856] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:45.000+0000 I NETWORK [conn25856] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58224 (connection id: 25856)
2022-07-27T09:25:45.000+0000 I NETWORK [conn25856] end connection 10.120.8.127:58224 (13 connections now open)
2022-07-27T09:25:45.001+0000 I REPL_HB [replexec-2] Heartbeat to mongodb-dev-1.mongodb-dev-svc.dev.svc.cluster.local:27017 failed after 2 retries, response status: HostUnreachable: stream truncated
2022-07-27T09:25:45.003+0000 I NETWORK [listener] connection accepted from 10.120.8.127:58228 #25858 (14 connections now open)
2022-07-27T09:25:45.007+0000 E NETWORK [conn25858] SSL peer certificate validation failed: unsupported certificate purpose
2022-07-27T09:25:45.007+0000 I NETWORK [conn25858] Error receiving request from client: SSLHandshakeFailed: SSL peer certificate validation failed: unsupported certificate purpose. Ending connection from 10.120.8.127:58228 (connection id: 25858)
2022-07-27T09:25:45.007+0000 I NETWORK [conn25858] end connection 10.120.8.127:58228 (13 connections now open)
Operator log has TLS configuration issue.
2022-07-27T10:06:05.893Z INFO controllers/mongodb_status_options.go:110 TLS config is not yet valid, retrying in 10 seconds
2022-07-27T10:06:15.899Z INFO controllers/replica_set_controller.go:140 Reconciling MongoDB {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG controllers/replica_set_controller.go:142 Validating MongoDB.Spec {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG controllers/replica_set_controller.go:151 Ensuring the service exists {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/agent_readiness.go:101 The Pod '' doesn't have annotation 'agent.mongodb.com/version' yet {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.900Z DEBUG agent/replica_set_port_manager.go:122 No port change required {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.906Z INFO controllers/replica_set_controller.go:462 Create/Update operation succeeded {"ReplicaSet": "dev/mongodb-replica-set","operation": "updated"}
2022-07-27T10:06:15.906Z INFO controllers/mongodb_tls.go:40 Ensuring TLS is correctly configured {"ReplicaSet": "dev/mongodb-replica-set"}
2022-07-27T10:06:15.906Z WARN controllers/mongodb_tls.go:47 CA resource not found: Secret "tls-ca-key-pair" not found {"ReplicaSet": "dev/mongodb-replica-set"}
[1]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/install-upgrade.md
[2]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/deploy-configure.md
[3]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/secure.md
It had two main reasons.
I followed [1] to enable SSL. It create another Statefulset. After that there are two mongo servers. Uninstall operator and re-install and followed last stable release documentation [2]. After it properly detect configmap and secret.
But it gave SSL issue in certificates as Unsupported Certificate in server modules. Following [3] found the issue. We need to remove extended_key_useage from openssl.conf. Otherwise it not work properly.
Important thread [4]
Hope this help.
[1]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/master/docs/secure.md
[2]. https://github.com/mongodb/mongodb-kubernetes-operator/blob/v0.7.4/docs/secure.md
[3]. https://stackoverflow.com/a/61964464/5607943
[4]. https://groups.google.com/g/mongodb-user/c/EmESxx5KK9Q/m/xH6Ul7fTBQAJ
I do request to https://bank.gov.ua
my $ua = Mojo::UserAgent->new;
$ua->get("https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange?valcode=EUR&date=$date_now&json");
And get error:
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 146452496
DEBUG: .../IO/Socket/SSL.pm:1638: don't start handshake: IO::Socket::SSL=GLOB(0xc955978)
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:829: using SNI with hostname bank.gov.ua
DEBUG: .../IO/Socket/SSL.pm:864: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:900: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:903: fatal SSL error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 146452496 open=
DEBUG: .../IO/Socket/SSL.pm:3063: free ctx 146452496 callback
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 146452496
I can do request with curl from this host to give url with no problem.
Does any know what problem is when I do this via IO::Socket::SSL (Mojo::UserAgent)?
This server is pretty strange:
the first request with openssl s_client -connect bank.gov.ua:443 fails with the server simply closing the connection: "SSL handshake has read 0 bytes and written 303 bytes"
the Mojo::UserAgent code fails too
doing a request with an explicit TLS 1.2 succeeds: openssl s_client -connect bank.gov.ua:443 -tls1_2
trying the first request again suddenly succeeds too
an the Mojo::UserAgent code now succeeds too
My only explanation is some firewall or load balancer which temporarily white lists an IP address in case it has seen a valid TLS ClientHello - and which considers TLS 1.3 not a valid one.
I am very new to this type of thing and not sure what I am doing wrong.
Inside Mojolicious app, I am battling to connect to the Apple Push Notification SSL Socket. I would like to send a push notification to an app.
Debug Information:
DEBUG: .../IO/Socket/SSL.pm:2700: new ctx 138351632
DEBUG: .../IO/Socket/SSL.pm:612: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:614: socket connected
DEBUG: .../IO/Socket/SSL.pm:636: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:669: using SNI with hostname gateway.push.apple.com
DEBUG: .../IO/Socket/SSL.pm:704: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:736: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2601: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2554: ok=0 [1] /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
DEBUG: .../IO/Socket/SSL.pm:739: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:742: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:742: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:745: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...5.18/IO/Socket.pm:48: ignoring less severe local error 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2733: free ctx 138351632 open=138351632
DEBUG: .../IO/Socket/SSL.pm:2738: free ctx 138351632 callback
DEBUG: .../IO/Socket/SSL.pm:2745: OK free ctx 138351632
Code snip bit:
use IO::Socket::SSL qw(debug3);
my $cl = IO::Socket::SSL->new(
PeerHost => 'gateway.push.apple.com',
# PeerHost => 'gateway.sandbox.push.apple.com',
PeerPort => '2195',
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_file => '/var/www/foo/bar/cert/ck.pem',
);
I'm not sure where to go or what to do from here?
I figured it out: I was using the incorrect pass phrase! I was able to implement the much simpler perl module Net::APNS
use Net::APNS;
my %settings = (
cert => "$Cert_file",
key => "$Cert_key_file",
passwd => "$passphrase",
);
if(my $Notifier = Net::APNS->new->notify(\%settings)) {
$Notifier->write({
devicetoken => "$device_token",
message => "$message",
sound => 'default',
badge => 1
});
return 1 if defined($Notifier) and ref($Notifier) eq "Net::APNS::Notification";
}
Thank you for all your input!
I'm trying to send email with Perl. My code works fine with Yahoo's SMTP server but when I try to use another SMTP server (with a self-signed SSL certificate), I get this error:
Couldn't start TLS: SSL connect attempt failed because of handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
at mail2.pl line 2.
My code is:
use Net::SMTP::TLS;
my $mailer = new Net::SMTP::TLS(
'mail.SomeHost.com',
Hello => 'mail.SomeHost.com',
Port => 587,
User => 'info#SomeHost.com',
Password=> '123456789'
);
$mailer->mail('info#SomeHost.com');
$mailer->to('info#SomeHost.com');
$mailer->data();
$mailer->datasend("From: info#SomeHost.com\n");
$mailer->datasend("To: info#SomeHost.com\n");
$mailer->datasend("Subject: test\n");
$mailer->datasend("Content-type: text/html\n\n");
$mailer->datasend("\n");
$mailer->datasend("<html><body><p>hi text</p><br></body></html>\n");
$mailer->dataend();
$mailer->quit;
How can I fix this?
Result with -MIO::Socket::SSL=debug4:
DEBUG: .../IO/Socket/SSL.pm:2537: new ctx 17003088
DEBUG: .../IO/Socket/SSL.pm:1343: start handshake
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:589: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=5
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> 0
DEBUG: .../IO/Socket/SSL.pm:701: connection failed - connect returned 0
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed because of handshake problems
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed because of handshake problems
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:2570: free ctx 17003088 open=17003088
DEBUG: .../IO/Socket/SSL.pm:2575: free ctx 17003088 callback
DEBUG: .../IO/Socket/SSL.pm:2582: OK free ctx 17003088 Couldn't start TLS:
SSL connect attempt failed because of handshake problems
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure at mail2.pl line 2.
I have followed all the steps for implementing pushnotification using the raywenderlich tutorial but I'm getting an error while running this command:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert XYZCert.pem -key XYZKey.pem
CONNECTED(00000003)
depth=1 /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated
by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
**verify error:num=20:unable to get local issuer certificate
verify return:0**
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgIETBz90jANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MjUyMzM3NDZaFw0xNDA1MzEw
NTA4NDhaMIGPMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMScwJQYDVQQDEx5nYXRld2F5LnNhbmRib3gucHVzaC5h
cHBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/r1z4BRFu
DIU9/vOboVmd7OwaPPLRtcZiZLWxSyG/6KeRPpaeaC6DScvSDRoJuIeTDBup0bg4
08K0Gzh+lfKRlJOC2sma5Wgvk7oP4sty83My3YCZQv4QvgDhx+seONNs6XiA8Cl4
ingDymWGlzb0sTdfBIE/nWiEOtXQZcg6GKePOWXKSYgWyi/08538UihKK4JZIOL2
eIeBwjEwlaXFFpMlStc36uS/8oy+KMjwvuu3HazNMidvbGK2Z68rBnqnOAaDBtuT
K7rwAa5+i8GYY+sJA0DywMViZxgG/xWWyr4DvhtpHfUjyQgg1ixM8q651LNgdRVf
4sB0PfANitq7AgMBAAGjggFZMIIBVTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwu
ZW50cnVzdC5uZXQvbGV2ZWwxYy5jcmwwZQYIKwYBBQUHAQEEWTBXMCMGCCsGAQUF
BzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAwBggrBgEFBQcwAoYkaHR0cDov
L2FpYS5lbnRydXN0Lm5ldC9sMWMtY2hhaW4uY2VyMEAGA1UdIAQ5MDcwNQYJKoZI
hvZ9B0sCMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5uZXQvcnBh
MB8GA1UdIwQYMBaAFB7xq4kG+EkPATN37hR67hl8kyhNMB0GA1UdDgQWBBSgNiNR
qtTShi8PuJ7UNUEbeE71STAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBBQUAA4IBAQAS
EDkUyBHVdRJnCLHY8w9ec92NWqBYqKiSGP0uVCvgpsJIWDBkCGIw1Olks6mQuS9+
R7VRJJFg7EhtufmoRIvjgntKpTe49sB/lrmiZVQGnhjd6YdyYm9+OBUWRvwketLM
v0S+nxZD0qLLJ9foVUB8zP8LtutqFJ5IZw1xb9eSNzhpKkQ9ylj8MCd4tpXZxICL
Gt327poTXwmjQ+31fz7HCQCowMHccP8kiKM5SeYC9q+nkmdaozHVvw4e1RsP+EWO
vPtcH1x1BCkTJajmrO7JuRPLuBEnZGSPUVFRKWP9jy0a28VnJek+oA7rRMRD8irU
fMGbLqkGn8YogdPqe5T1
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
**No client certificate CA names sent**
---
SSL handshake has read 2731 bytes and written 2160 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: CE7F8C43CF32CC6E2F9C81E8898E89EAEC8B4E1110B7AA50C0FDABB3ED628A0623C7905B956E6F28A0E85A4AECA9986B
Key-Arg : None
Start Time: 1339390594
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
**read:errno=54**
I am able to get the device token and while using php code to send notification it is showing:
Connected to APNS
Message successfully delivered
But I'm still not receiving notifications on iphone4s.
With every profile I'm getting the same device token.
So totally stuck with notification. How to resolve this?
does APNS return error-response packet to you?
if your token is invalid or the notification malformed, APNS will return the error-response.