How to view the client certificate in Mojolicious::Plugin::SslAuth plugin?

Question

I have set up a Mojolicious::Lite server with SSL support using Hypnotoad. I am using Mojolicious::Plugin::SslAuth for authenticating the client certificate. When I call dump_peer_certificate() I get

[Tue Feb 12 07:26:32 2019] [debug] peer: Subject Name: undefined Issuer  Name: undefined

but I expected valid certificate information. Can you help me to understand this message?

Here is SSL handler code:

sub register {
    my ($plugin, $app) = @_;

    $app->helper(
        ssl_auth => sub {
            my $self     = shift;
            my $callback = shift;

            my $id     = $self->tx->connection;
            my $handle = Mojo::IOLoop->stream($id)->handle;

            # dump_peer_certificate returns-
            #     Subject Name: undefined
            #     Issuer  Name: undefined 
            $app->log->debug("peer: " . $handle->dump_peer_certificate());

            # Not SSL connection
            return if ref $handle ne 'IO::Socket::SSL';

            return $callback->($handle);
        }
    );
}

There is probably no client certificate, ie. `$handle->peer_certificate()` will not return anything. I think it is extremely rare to enable certificates in SSL clients, e.g. if you require your server to only accept clients that provide a valid certificate. — Stefan Becker, Feb 12 '19 at 12:00
I.e. calling `dump_peer_certificate()` only makes sense on the *client* side. It will of course print the information of the server certificate. — Stefan Becker, Feb 12 '19 at 12:06
Quoting from this [answer](https://stackoverflow.com/a/1710543/8866606): "(1) **Client certificate authentication can only be enforced by the server.** (2) (Important!) When the server requests a client certificate (as part of the TLS handshake), it will also provide a list of trusted CA's as part of the certificate request. When the client certificate you wish to present for authentication is *not* signed by one of these CA's, it won't be presented at all" - have you set up your SSL server to request client certificate authentication? — Stefan Becker, Feb 12 '19 at 20:11
@StefanBecker I have added the SSL certificate in my browser and SoapUI. Therefore, I presume it should be sending the certificate in the request. I didn't find relevant info in Mojo::Lite docs to enable client certificate authentication. — Arunraj Nair, Feb 13 '19 at 07:19
My statements are not specific to Mojo::Lite, i.e. they apply to any SSL/TLS server/client setup. I.e. without additional setup the SSL server won't request and the SSL client won't authenticate with a certificate. This is **different** from the other direction, i.e. a server always needs to authenticate with a certificate to the client. — Stefan Becker, Feb 13 '19 at 07:24
Did you configure hypnotoads listen attribute with a CA certificate file to verify the client certificate? — clamp, Feb 13 '19 at 09:35
Thank you @clamp! I had not set `?ca=...` in the hypnotoad listen config — Arunraj Nair, Feb 15 '19 at 05:47

How to view the client certificate in Mojolicious::Plugin::SslAuth plugin?

0 Answers0