我昨天在Perl Monks上发布了这个问题,但它适用于所有尝试它的人(见
http://www.perlmonks.org/?node_id=909968).但是,我使用的是不同的URL,希望能够简化问题.
我正在尝试通过HTTPS连接到api.betfair.com,他们有一个我在浏览器中验证过的有效证书.我正在运行ubuntu并有2个版本的Perl.一个5.10.0工作的系统和通过perlbrew安装的5.14.0失败.代码是:
use LWP::UserAgent;
use strict;
use warnings;
#$ENV{HTTPS_CA_FILE} = "/usr/share/ca-certificates/cacert.org/cacert.org.crt";
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(GET => 'https://api.betfair.com');
my $res = $ua->request($req);
print $res->headers_as_string;
print $res->content;
在系统Perl 5.10.0下运行它可以正常工作,我得到:
Date: Fri,17 Jun 2011 08:33:04 GMT Accept-Ranges: bytes ETag: W/"0-1307353787000" Content-Length: 0 Content-Type: text/html Last-Modified: Mon,06 Jun 2011 09:49:47 GMT Client-Date: Fri,17 Jun 2011 08:33:04 GMT Client-Peer: 84.20.200.10:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2 Client-SSL-Cert-Subject: /C=GB/ST=London/L=London/O=The Sporting Exchange Ltd/OU=IS/OU=Terms of use at www.verisign.com/rpa (c)05/CN=*.betfair.com Client-SSL-Cipher: RC4-MD5 Set-Cookie: NSC_mc-80-qvcbqj.efgbvmu=ffffffff09208c5545525d5f4f58455e445a4a4229a0;expires=Fri,17-Jun-2011 20:33:05 GMT;path=/;httponly
在Perl 5.14.0下运行我得到:
Content-Type:text / plain
客户日期:2011年6月17日星期五08:34:30 GMT
客户警告:内部响应
无法连接到api.betfair.com:443
如果我取消注释HTTPS_CA_FILE的设置并在5.14.0中重新运行,我会得到:
Content-Type: text/plain Client-Date: Fri,17 Jun 2011 08:35:09 GMT Client-Warning: Internal response Can't connect to api.betfair.com:443 (certificate verify Failed) LWP::Protocol::https::Socket: SSL connect attempt Failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify Failed at /home/martin/perl5/perlbrew/perls/perl-5.14.0/lib/site_perl/5.14.0/LWP/Protocol/http.pm line 51.
我在版本20110409安装了Mozilla :: CA.Mozilla :: CA :: SSL_ca_file()返回“/home/martin/perl5/perlbrew/perls/perl-5.14.0/lib/site_perl/5.14.0/Mozilla/CA /cacert.pem“它存在并且可以被我读取.我在Perl 5.14.0中使用LWP 6.02,在Perl 5.10.0中使用5.836.我读取设置HTTPS_DEBUG = 1应输出一些调试信息,但它只在使用Perl 5.10.0而不是5.14.0时这样做(对我而言).
我不是一个SSL大师,但我尝试了一些我发现的东西,它们让我更加困惑:
openssl verify -verbose -CAfile /home/martin/perl5/perlbrew/perls/perl-5.14.0/lib/site_perl/5.14.0/Mozilla/CA/cacert.pem < /dev/null
unable to load certificate
10888:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE
openssl s_client -CAfile /usr/local/share/perl/5.10.0/Mozilla/CA/cacert.pem -connect api.betfair.com:443 < /dev/null
CONNECTED(00000003)
depth=1 /C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=GB/ST=London/L=London/O=The Sporting Exchange Ltd/OU=IS/OU=Terms of use at www.verisign.com/rpa (c)05/CN=*.betfair.com
i:/C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
1 s:/C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
i:/C=US/O=VeriSign,Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign,Inc. - For authorized use only/OU=VeriSign Trust Network
---
Server certificate
-----BEGIN CERTIFICATE-----
certificate snipped
sg==
-----END CERTIFICATE-----
subject=/C=GB/ST=London/L=London/O=The Sporting Exchange Ltd/OU=IS/OU=Terms of use at www.verisign.com/rpa (c)05/CN=*.betfair.com
issuer=/C=US/O=VeriSign,Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3068 bytes and written 303 bytes
---
New,TLSv1/SSLv3,Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 81802384A47AF45D2D809A2D10041A4E0B4B4DD821507569216A199ED467B207
Session-ID-ctx:
Master-Key: 50DEC11CD2FA57E9BFA95B0156905D2717A79F333A2028FCCCB0F1C32A6B35202A958CEF24D3D2332A00CDCD158B40FB
Key-Arg : None
Start Time: 1308304989
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
更新:我认为这是因为我设置了PERL_UNICODE = SAL但是未设置这不能解决问题.
更新:版本:
Linux ubuntu 10.10代号为maverick
openssl 0.9.80(我相信最新的ubuntu发行版
解决方法
$openssl s_client -connect api.betfair.com:443 < /dev/null > api.betfair.com.pem $openssl x509 -in api.betfair.com.pem -issuer_hash eb99629b
好吧,whaddayasay,这是同样愚蠢的中间证书0xeb99629b我以前见过与其他人失踪,详见comment above以及如何获得它.
出于好奇,您运行的是什么版本的OpenSSL和ca-certificate?你的系统版本/供应商是什么?