28 | 28 |
|
29 | 29 |
# Do the exporting magic...
|
30 | 30 |
require Exporter;
|
31 | |
use vars qw( @ISA @EXPORT_OK );
|
32 | |
@ISA = qw( Exporter );
|
33 | |
@EXPORT_OK = qw( Client_SSLify Server_SSLify SSLify_Options SSLify_GetCTX SSLify_GetCipher SSLify_GetSocket SSLify_GetSSL SSLify_ContextCreate );
|
|
31 |
our @ISA = qw( Exporter );
|
|
32 |
our @EXPORT_OK = qw( Client_SSLify Server_SSLify SSLify_Options SSLify_GetCTX SSLify_GetCipher SSLify_GetSocket SSLify_GetSSL SSLify_ContextCreate );
|
34 | 33 |
|
35 | 34 |
# Bring in some socket-related stuff
|
36 | 35 |
use Symbol qw( gensym );
|
|
41 | 40 |
|
42 | 41 |
# The server-side CTX stuff
|
43 | 42 |
my $ctx = undef;
|
|
43 |
|
|
44 |
# global so users of this module can override it locally
|
|
45 |
our $IGNORE_SSL_ERRORS = 0;
|
44 | 46 |
|
45 | 47 |
=func Client_SSLify
|
46 | 48 |
|
|
242 | 244 |
|
243 | 245 |
# do we need to set options?
|
244 | 246 |
if ( defined $options ) {
|
245 | |
Net::SSLeay::CTX_set_options( $context, $options ) and die_if_ssl_error( 'ssl ctx set options' );
|
|
247 |
Net::SSLeay::CTX_set_options( $context, $options );
|
|
248 |
die_if_ssl_error( 'ssl ctx set options' ) if ! $IGNORE_SSL_ERRORS;
|
246 | 249 |
}
|
247 | 250 |
|
248 | 251 |
# do we need to set key/etc?
|
249 | 252 |
if ( defined $key ) {
|
250 | 253 |
# Following will ask password unless private key is not encrypted
|
251 | 254 |
Net::SSLeay::CTX_use_RSAPrivateKey_file( $context, $key, &Net::SSLeay::FILETYPE_PEM );
|
252 | |
die_if_ssl_error( 'private key' );
|
|
255 |
die_if_ssl_error( 'private key' ) if ! $IGNORE_SSL_ERRORS;
|
253 | 256 |
}
|
254 | 257 |
|
255 | 258 |
# Set the cert file
|
256 | 259 |
if ( defined $cert ) {
|
257 | 260 |
Net::SSLeay::CTX_use_certificate_file( $context, $cert, &Net::SSLeay::FILETYPE_PEM );
|
258 | |
die_if_ssl_error( 'certificate' );
|
|
261 |
die_if_ssl_error( 'certificate' ) if ! $IGNORE_SSL_ERRORS;
|
259 | 262 |
}
|
260 | 263 |
|
261 | 264 |
# All done!
|
|
403 | 406 |
=head2 Socket methods doesn't work
|
404 | 407 |
|
405 | 408 |
The new socket this module gives you actually is some tied socket magic, so you cannot do stuff like
|
406 | |
getpeername() or getsockname(). The only way to do it is to use SSLify_GetSocket and then operate on
|
|
409 |
getpeername() or getsockname(). The only way to do it is to use L</SSLify_GetSocket> and then operate on
|
407 | 410 |
the socket it returns.
|
408 | 411 |
|
409 | 412 |
=head2 Dying everywhere...
|
|
426 | 429 |
}
|
427 | 430 |
}
|
428 | 431 |
|
|
432 |
=head3 $IGNORE_SSL_ERRORS
|
|
433 |
|
|
434 |
As of SSLify v1.003 you can override this variable to temporarily ignore some SSL errors. This is useful if you are doing crazy things
|
|
435 |
with the underlying Net::SSLeay stuff and don't want to die. However, it won't ignore all errors as some is still considered fatal.
|
|
436 |
Here's an example:
|
|
437 |
|
|
438 |
{
|
|
439 |
local $POE::Component::SSLify::IGNORE_SSL_ERRORS=1;
|
|
440 |
my $ctx = SSLify_CreateContext(...);
|
|
441 |
#Some more stuff
|
|
442 |
}
|
|
443 |
|
429 | 444 |
=head2 OpenSSL functions
|
430 | 445 |
|
431 | 446 |
Theoretically you can do anything that Net::SSLeay exports from the OpenSSL libs on the socket. However, I have not tested every
|
|
437 | 452 |
L<http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc> which explains it in detail. The test will skip this function
|
438 | 453 |
if it detects that you're on a broken system. However, if you have the updated OpenSSL library that fixes this you can use it.
|
439 | 454 |
|
440 | |
=head3 In-Situ sslification
|
|
455 |
=head2 In-Situ sslification
|
441 | 456 |
|
442 | 457 |
You can have a normal plaintext socket, and convert it to SSL anytime. Just keep in mind that the client and the server must agree to sslify
|
443 | 458 |
at the same time, or they will be waiting on each other forever! See C<t/3_insitu.t> for an example of how this works.
|