GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  SOCKET::CLASS::CTX (3)

.ds Aq ’

NAME

Socket::Class::SSL::CTX - Shared context for Socket::Class::SSL

CONTENTS

SYNOPSIS



  use Socket::Class::SSL;
 
  $ctx = Socket::Class::SSL::CTX->new( ... );
 
  $ssl = Socket::Class::SSL->new( use_ctx => $ctx, ... );
 
  $ssl = Socket::Class::SSL->startssl( $sock, use_ctx => $ctx, ... );



DESCRIPTION

The module creates shared ssl context for improved performance.

    Functions in alphabetical order

check_private_key, enable_compatibility, new, set_certificate, set_cipher_list, set_client_ca, set_private_key, set_ssl_method, set_verify_locations,

EXAMPLES

    SSL Server using fork

thanks to J. Nick Koston



  use Socket::Class::SSL;
 
  %ssl_args = (
      private_key => /path/to/server.key.pem,
      certificate => /path/to/server.crt.pem,
      cipher_list => ALL:!ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  );
 
  # create shared context
  $ssl_ctx = Socket::Class::SSL::CTX->new(
      server => 1,
      %ssl_args
  ) or die $@;
 
  # create listen socket
  $server = Socket::Class->new (
      listen     => 45,
      proto      => tcp,
      local_port => 10001,
      reuseaddr  => 1,
  );
 
  while( 1 ) {
      # test readability
      $server->select( 1, undef, undef, 5 ) or next;
      # accept client
      $socket = $server->accept() or next;
      if( fork() ) {
          # whats going on here?
          $socket->close();
      }
      else {
          # start ssl
          $ssl_socket = Socket::Class::SSL->startssl(
              $socket,
              server  => 1,
              use_ctx => $ssl_ctx,
              %ssl_args
          ) or die "Could not start ssl: $@";
          # speak to the client
          $ssl_socket->write( "SSL SERVER CONNETED OK\n" );
          # ...
          exit();
      }
  }



METHODS

<B>new ( [%arg] )B> Additional arguments for the constructor.



  certificate    Path to certificate file in PEM format
  private_key    Path to private key file in PEM format
  client_ca      Path to PEM formatted file with CA certificates
                 to send to the client
  ca_file        A file of CA certificates in PEM format
  ca_path        A directory containing CA certificates in PEM format
  ssl_method     One of "SSLv2", "SSLv23", "SSLv3" or "TLSv1"
                 default method is SSLv23
  cipher_list    A string representing a list of availables ciphers
                 The format is described at
                 http://www.openssl.org/docs/apps/ciphers.html
  server         Create server context on true value. False by default.



Detailed information about the arguments are documented in the functions below.

<B>set_certificate ( B>$certificate<B> )B> Adds a certificate chain. The certificates must be in PEM format and must be sorted starting with the subject‘s certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.

<B>ParametersB>
$certificate Path to certificate file in PEM format.

<B>Return ValuesB>

Returns a TRUE value on success or UNDEF on failure.

<B>set_private_key ( B>$private_key<B> )B> Adds a private key to the socket. To change a certificate, private key pair the new certificate needs to be set before setting the private key.

<B>ParametersB>
$private_key Path to private key file in PEM format.

<B>Return ValuesB>

Returns a TRUE value on success or UNDEF on failure.

<B>check_private_key ()B> Verifies that the private key agrees with the corresponding public key in the certificate.

Returns a TRUE value on success or UNDEF on failure.

The most likely causes of errors:
o The private key file does not match the corresponding public key in the certificate.
o A certificate file was not loaded.
o A key file was not loaded.

<B>set_client_ca ( B>$client_ca<B> )B> Reads a file of PEM formatted certificates and sets the list of CA names sent to the client when requesting a client certificate

<B>ParametersB>
$client_ca Path to PEM formatted file with CA certificates to send to the client.

<B>Return ValuesB>

Returns a true value on success or undef on failure.

<B>NoteB>

The CAs listed do not become trusted (list only contains the names, not the complete certificates); use set_verify_locations() to additionally load them for verification.

These function is only useful for TLS/SSL servers.

<B>set_verify_locations ( B>$ca_file<B>, B>$ca_path<B> )B> Specifies the locations at which CA certificates for verification purposes are located.

When building its own certificate chain, an OpenSSL client/server will try to fill in missing certificates from $ca_file/$ca_path, if the certificate chain was not explicitly specified.

<B>ParametersB>
$ca_file If $ca_file is defined, it points to a file of CA certificates in PEM format. The file can contain several CA certificates identified by



 -----BEGIN CERTIFICATE-----
 ... (CA certificate in base64 encoding) ...
 -----END CERTIFICATE-----



sequences. Before, between, and after the certificates text is allowed which can be used e.g. for descriptions of the certificates.

$ca_path If $ca_path is defined, it points to a directory containing CA certificates in PEM format. Each file contains one CA certificate. The files are looked up by the CA subject name hash value, which must be available. If more than one CA certificate with the same name hash value exists, the extension must be different (e.g. 9d66eef0.0, 9d66eef0.1 etc). The search is performed in the order of the extension numbers, regardless of other properties of the certificates.

When looking up CA certificates, the OpenSSL library will search the certificates in $ca_file first, then those in $ca_path. Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verified. If these data do not match, the next certificate will be tried. The verification process will be performed on the first matching certificate. In case of failure no other certificates with the same parameters are searched.

<B>Return ValuesB>

Returns a true value on success or undef on failure.

<B>NoteB>

In server mode, when requesting a client certificate, the server must send the list of CAs to accept client certificates. This list is not influenced by the contents of $ca_file or $ca_path and must explicitly be set using the set_client_ca() function.

<B>enable_compatibility ()B> Enables all bug workarounds available with the OpenSSL library.

See <http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html> for a list.

<B>set_ssl_method ( B>$name<B> )B> Sets the ssl method.

<B>ParametersB>
$name One of SSLv2, SSLv23, SSLv3 or TLSv1

<B>Return ValuesB>

Returns a true value on success or undef on failure.

<B>set_cipher_list ( B>$str<B> )B> Sets the list of available ciphers using the control string $str.

<B>ParametersB>
$str The cipher list consists of one or more cipher strings separated by colons. Commas or spaces are also acceptable separators but colons are normally used.

See <http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT> for details.

<B>Return ValuesB>

Returns a true value on success or undef on failure.

SEE ALSO

The Socket::Class::SSL manpage

OpenSSL, <http://www.openssl.org/>

AUTHORS

Christian Mueller, <http://www.alien-heads.org/>

COPYRIGHT AND LICENSE

This module is part of the Socket::Class::SSL module and stays under the same copyright and license agreements.
Search for    or go to Top of page |  Section 3 |  Main Index


perl v5.20.3 CTX (3) 2012-01-20

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.