.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote. \*(C+ will
.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds PI pi
. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
. ds L" ""
. ds R" ""
. ds C` ""
. ds C' ""
'br\}
.el\{\
. ds -- \|\(em\|
. ds PI \(*p
. ds L" ``
. ds R" ''
. ds C`
. ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
. if \nF \{
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
. \" fudge factors for nroff and troff
.if n \{\
. ds #H 0
. ds #V .8m
. ds #F .3m
. ds #[ \f1
. ds #] \fP
.\}
.if t \{\
. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
. ds #V .6m
. ds #F 0
. ds #[ \&
. ds #] \&
.\}
. \" simple accents for nroff and troff
.if n \{\
. ds ' \&
. ds ` \&
. ds ^ \&
. ds , \&
. ds ~ ~
. ds /
.\}
.if t \{\
. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
. \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
. \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
. \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
. ds : e
. ds 8 ss
. ds o a
. ds d- d\h'-1'\(ga
. ds D- D\h'-1'\(hy
. ds th \o'bp'
. ds Th \o'LP'
. ds ae ae
. ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "SSLeay 3pm"
.TH SSLeay 3pm "2010-08-24" "perl v5.20.0" "User Contributed Perl Documentation"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
Crypt::SSLeay \- OpenSSL support for LWP
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
.Vb 1
\& lwp\-request https://www.example.com
\&
\& use LWP::UserAgent;
\& my $ua = LWP::UserAgent\->new;
\& my $response = $ua\->get(\*(Aqhttps://www.example.com/\*(Aq);
\& print $response\->content, "\en";
.Ve
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
This Perl module provides support for the \s-1HTTPS\s0 protocol under \s-1LWP,\s0
to allow an \f(CW\*(C`LWP::UserAgent\*(C'\fR object to perform \s-1GET, HEAD\s0 and \s-1POST\s0
requests. Please see \s-1LWP\s0 for more information on \s-1POST\s0 requests.
.PP
The \f(CW\*(C`Crypt::SSLeay\*(C'\fR package provides \f(CW\*(C`Net::SSL\*(C'\fR, which is loaded
by \f(CW\*(C`LWP::Protocol::https\*(C'\fR for https requests and provides the
necessary \s-1SSL\s0 glue.
.PP
This distribution also makes following deprecated modules available:
.PP
.Vb 3
\& Crypt::SSLeay::CTX
\& Crypt::SSLeay::Conn
\& Crypt::SSLeay::X509
.Ve
.PP
Work on Crypt::SSLeay has been continued only to provide https
support for the \s-1LWP \s0(libwww-perl) libraries.
.SH "ENVIRONMENT VARIABLES"
.IX Header "ENVIRONMENT VARIABLES"
The following environment variables change the way
\&\f(CW\*(C`Crypt::SSLeay\*(C'\fR and \f(CW\*(C`Net::SSL\*(C'\fR behave.
.PP
.Vb 2
\& # proxy support
\& $ENV{HTTPS_PROXY} = \*(Aqhttp://proxy_hostname_or_ip:port\*(Aq;
\&
\& # proxy_basic_auth
\& $ENV{HTTPS_PROXY_USERNAME} = \*(Aqusername\*(Aq;
\& $ENV{HTTPS_PROXY_PASSWORD} = \*(Aqpassword\*(Aq;
\&
\& # debugging (SSL diagnostics)
\& $ENV{HTTPS_DEBUG} = 1;
\&
\& # default ssl version
\& $ENV{HTTPS_VERSION} = \*(Aq3\*(Aq;
\&
\& # client certificate support
\& $ENV{HTTPS_CERT_FILE} = \*(Aqcerts/notacacert.pem\*(Aq;
\& $ENV{HTTPS_KEY_FILE} = \*(Aqcerts/notacakeynopass.pem\*(Aq;
\&
\& # CA cert peer verification
\& $ENV{HTTPS_CA_FILE} = \*(Aqcerts/ca\-bundle.crt\*(Aq;
\& $ENV{HTTPS_CA_DIR} = \*(Aqcerts/\*(Aq;
\&
\& # Client PKCS12 cert support
\& $ENV{HTTPS_PKCS12_FILE} = \*(Aqcerts/pkcs12.pkcs12\*(Aq;
\& $ENV{HTTPS_PKCS12_PASSWORD} = \*(AqPKCS12_PASSWORD\*(Aq;
.Ve
.SH "INSTALL"
.IX Header "INSTALL"
.SS "OpenSSL"
.IX Subsection "OpenSSL"
You must have OpenSSL or SSLeay installed before compiling this module.
You can get the latest OpenSSL package from
.
.PP
On Debian systems, you will need to install the \f(CW\*(C`libssl\-dev\*(C'\fR package,
at least for the duration of the build (it may be removed afterwards).
.PP
Other package-based systems may require something similar. The key is
that \f(CW\*(C`Crypt::SSLeay\*(C'\fR makes calls to the OpenSSL library, and how to do
so is specified in the C header files that come with the library. Some
systems break out the header files into a separate package from that of
the libraries. Once the program has been built, you don't need the
headers any more.
.PP
When installing openssl make sure your config looks like:
.PP
.Vb 1
\& ./config \-\-openssldir=/usr/local/openssl
.Ve
.PP
or
.PP
.Vb 1
\& ./config \-\-openssldir=/usr/local/ssl
.Ve
.PP
If you are planning on upgrading the default OpenSSL libraries on
a system like RedHat, (not recommended), then try something like:
.PP
.Vb 1
\& ./config \-\-openssldir=/usr \-\-shared
.Ve
.PP
The \f(CW\*(C`\-\-shared\*(C'\fR option to config will set up building the .so
shared libraries which is important for such systems. This is
followed by:
.PP
.Vb 3
\& make
\& make test
\& make install
.Ve
.PP
This way \f(CW\*(C`Crypt::SSLeay\*(C'\fR will pick up the includes and
libraries automatically. If your includes end up
going into a separate directory like \fI/usr/local/include\fR,
then you may need to symlink \fI/usr/local/openssl/include\fR
to \fI/usr/local/include\fR
.SS "Crypt::SSLeay"
.IX Subsection "Crypt::SSLeay"
The latest Crypt::SSLeay can be found at your nearest \s-1CPAN,\s0
as well as
.PP
Once you have downloaded it, Crypt::SSLeay installs easily
using the \f(CW\*(C`make\*(C'\fR * commands as shown below.
.PP
.Vb 4
\& perl Makefile.PL
\& make
\& make test
\& make install
.Ve
.PP
On Windows systems, both Strawberry Perl and ActiveState (as a separate
download via ppm) projects include a MingW based compiler distribution and
\&\f(CW\*(C`dmake\*(C'\fR which can be used to build both OpenSSL and \f(CW\*(C`Crypt\-SSLeay\*(C'\fR. If you
have such a set up, use \f(CW\*(C`dmake\*(C'\fR above.
.PP
For unattended (batch) installations, to be absolutely certain that
\&\fIMakefile.PL\fR does not prompt for questions on \s-1STDIN,\s0 set the
following environment variable beforehand:
.PP
.Vb 1
\& PERL_MM_USE_DEFAULT=1
.Ve
.PP
(This is true for any \s-1CPAN\s0 module that uses \f(CW\*(C`ExtUtils::MakeMaker\*(C'\fR).
.PP
To skip live tests, you can use
.PP
.Vb 1
\& perl Makefile.PL \-\-no\-live\-tests
.Ve
.PP
and to force live tests, you can use
.PP
.Vb 1
\& perl Makefile.PL \-\-live\-tests
.Ve
.PP
\fIWindows\fR
.IX Subsection "Windows"
.PP
\&\f(CW\*(C`Crypt::SSLeay\*(C'\fR builds correctly with Strawberry Perl.
.PP
For ActiveState Perl users, the ActiveState company does not have a
permit from the Canadian Federal Government to distribute cryptographic
software. This prevents \f(CW\*(C`Crypt::SSLeay\*(C'\fR from being distributed as a \s-1PPM\s0
package from their repository. See
for more information on this issue.
.PP
You may download it from Randy Kobes's \s-1PPM\s0 repository by using
the following command:
.PP
.Vb 1
\& ppm install http://theoryx5.uwinnipeg.ca/ppms/Crypt\-SSLeay.ppd
.Ve
.PP
An alternative is to add the uwinnipeg.ca \s-1PPM\s0 repository to your
local installation. See
for more details.
.PP
\fI\s-1VMS\s0\fR
.IX Subsection "VMS"
.PP
It is assumed that the OpenSSL installation is located at
\&\fI/ssl$root\fR. Define this logical to point to the appropriate
place in the filesystem.
.SH "PROXY SUPPORT"
.IX Header "PROXY SUPPORT"
LWP::UserAgent and Crypt::SSLeay have their own versions of
proxy support. Please read these sections to see which one
is appropriate.
.SS "LWP::UserAgent proxy support"
.IX Subsection "LWP::UserAgent proxy support"
\&\f(CW\*(C`LWP::UserAgent\*(C'\fR has its own methods of proxying which may work for you
and is likely to be incompatible with \f(CW\*(C`Crypt::SSLeay\*(C'\fR proxy support.
To use \f(CW\*(C`LWP::UserAgent\*(C'\fR proxy support, try something like:
.PP
.Vb 2
\& my $ua = LWP::UserAgent\->new;
\& $ua\->proxy([qw( https http )], "$proxy_ip:$proxy_port");
.Ve
.PP
At the time of this writing, libwww v5.6 seems to proxy https requests
fine with an Apache \fImod_proxy\fR server. It sends a line like:
.PP
.Vb 1
\& GET https://www.example.com HTTP/1.1
.Ve
.PP
to the proxy server, which is not the \f(CW\*(C`CONNECT\*(C'\fR request that some
proxies would expect, so this may not work with other proxy servers than
\&\fImod_proxy\fR. The \f(CW\*(C`CONNECT\*(C'\fR method is used by \f(CW\*(C`Crypt::SSLeay\*(C'\fR's
internal proxy support.
.SS "Crypt::SSLeay proxy support"
.IX Subsection "Crypt::SSLeay proxy support"
For native \f(CW\*(C`Crypt::SSLeay\*(C'\fR proxy support of https requests,
you need to set the environment variable \f(CW\*(C`HTTPS_PROXY\*(C'\fR to your
proxy server and port, as in:
.PP
.Vb 3
\& # proxy support
\& $ENV{HTTPS_PROXY} = \*(Aqhttp://proxy_hostname_or_ip:port\*(Aq;
\& $ENV{HTTPS_PROXY} = \*(Aq127.0.0.1:8080\*(Aq;
.Ve
.PP
Use of the \f(CW\*(C`HTTPS_PROXY\*(C'\fR environment variable in this way
is similar to \f(CW\*(C`LWP::UserAgent\-\*(C'\fR\fIenv_proxy()\fR> usage, but calling
that method will likely override or break the \f(CW\*(C`Crypt::SSLeay\*(C'\fR
support, so do not mix the two.
.PP
Basic auth credentials to the proxy server can be provided
this way:
.PP
.Vb 3
\& # proxy_basic_auth
\& $ENV{HTTPS_PROXY_USERNAME} = \*(Aqusername\*(Aq;
\& $ENV{HTTPS_PROXY_PASSWORD} = \*(Aqpassword\*(Aq;
.Ve
.PP
For an example of \s-1LWP\s0 scripting with \f(CW\*(C`Crypt::SSLeay\*(C'\fR native proxy
support, please look at the \fIeg/lwp\-ssl\-test\fR script in the
\&\f(CW\*(C`Crypt::SSLeay\*(C'\fR distribution.
.SH "CLIENT CERTIFICATE SUPPORT"
.IX Header "CLIENT CERTIFICATE SUPPORT"
Client certificates are supported. \s-1PEM\s0 encoded certificate and
private key files may be used like this:
.PP
.Vb 2
\& $ENV{HTTPS_CERT_FILE} = \*(Aqcerts/notacacert.pem\*(Aq;
\& $ENV{HTTPS_KEY_FILE} = \*(Aqcerts/notacakeynopass.pem\*(Aq;
.Ve
.PP
You may test your files with the \fIeg/net\-ssl\-test\fR program,
bundled with the distribution, by issuing a command like:
.PP
.Vb 2
\& perl eg/net\-ssl\-test \-cert=certs/notacacert.pem \e
\& \-key=certs/notacakeynopass.pem \-d GET $HOST_NAME
.Ve
.PP
Additionally, if you would like to tell the client where
the \s-1CA\s0 file is, you may set these.
.PP
.Vb 2
\& $ENV{HTTPS_CA_FILE} = "some_file";
\& $ENV{HTTPS_CA_DIR} = "some_dir";
.Ve
.PP
Note that, if specified, \f(CW$ENV{HTTPS_CA_FILE}\fR must point to the actual
certificate file. That is, \f(CW$ENV{HTTPS_CA_DIR}\fR is *not* the path were
\&\f(CW$ENV{HTTPS_CA_FILE}\fR is located.
.PP
For certificates in \f(CW$ENV{HTTPS_CA_DIR}\fR to be picked up, follow the
instructions on
.PP
There is no sample \s-1CA\s0 cert file at this time for testing,
but you may configure \fIeg/net\-ssl\-test\fR to use your \s-1CA\s0 cert
with the \-CAfile option. (\s-1TODO:\s0 then what is the \fI./certs\fR
directory in the distribution?)
.SS "Creating a test certificate"
.IX Subsection "Creating a test certificate"
To create simple test certificates with OpenSSL, you may
run the following command:
.PP
.Vb 3
\& openssl req \-config /usr/local/openssl/openssl.cnf \e
\& \-new \-days 365 \-newkey rsa:1024 \-x509 \e
\& \-keyout notacakey.pem \-out notacacert.pem
.Ve
.PP
To remove the pass phrase from the key file, run:
.PP
.Vb 1
\& openssl rsa \-in notacakey.pem \-out notacakeynopass.pem
.Ve
.SS "\s-1PKCS12\s0 support"
.IX Subsection "PKCS12 support"
The directives for enabling use of \s-1PKCS12\s0 certificates is:
.PP
.Vb 2
\& $ENV{HTTPS_PKCS12_FILE} = \*(Aqcerts/pkcs12.pkcs12\*(Aq;
\& $ENV{HTTPS_PKCS12_PASSWORD} = \*(AqPKCS12_PASSWORD\*(Aq;
.Ve
.PP
Use of this type of certificate takes precedence over previous
certificate settings described. (\s-1TODO:\s0 unclear? Meaning \*(L"the
presence of this type of certificate\*(R"?)
.SH "SSL versions"
.IX Header "SSL versions"
\&\f(CW\*(C`Crypt::SSLeay\*(C'\fR tries very hard to connect to \fIany\fR \s-1SSL\s0 web server
accomodating servers that are buggy, old or simply not
standards-compliant. To this effect, this module will try \s-1SSL\s0
connections in this order:
.IP "\s-1SSL\s0 v23" 4
.IX Item "SSL v23"
should allow v2 and v3 servers to pick their best type
.IP "\s-1SSL\s0 v3" 4
.IX Item "SSL v3"
best connection type
.IP "\s-1SSL\s0 v2" 4
.IX Item "SSL v2"
old connection type
.PP
Unfortunately, some servers seem not to handle a reconnect to \s-1SSL\s0 v3 after a
failed connect of \s-1SSL\s0 v23 is tried, so you may set before using \s-1LWP\s0 or
Net::SSL:
.PP
.Vb 1
\& $ENV{HTTPS_VERSION} = 3;
.Ve
.PP
to force a version 3 \s-1SSL\s0 connection first. At this time only a
version 2 \s-1SSL\s0 connection will be tried after this, as the connection
attempt order remains unchanged by this setting.
.SH "ACKNOWLEDGEMENTS"
.IX Header "ACKNOWLEDGEMENTS"
Many thanks to the following individuals who helped improve
\&\f(CW\*(C`Crypt\-SSLeay\*(C'\fR:
.PP
\&\fIGisle Aas\fR for writing this module and many others including libwww, for
perl. The web will never be the same :)
.PP
\&\fIBen Laurie\fR deserves kudos for his excellent patches for better error
handling, \s-1SSL\s0 information inspection, and random seeding.
.PP
\&\fIDongqiang Bai\fR for host name resolution fix when using a proxy.
.PP
\&\fIStuart Horner\fR of Core Communications, Inc. who found the need for
building \f(CW\*(C`\-\-shared\*(C'\fR OpenSSL libraries.
.PP
\&\fIPavel Hlavnicka\fR for a patch for freeing memory when using a pkcs12
file, and for inspiring more robust \f(CW\*(C`read()\*(C'\fR behavior.
.PP
\&\fIJames Woodyatt\fR is a champ for finding a ridiculous memory leak that
has been the bane of many a Crypt::SSLeay user.
.PP
\&\fIBryan Hart\fR for his patch adding proxy support, and thanks to \fITobias
Manthey\fR for submitting another approach.
.PP
\&\fIAlex Rhomberg\fR for Alpha linux ccc patch.
.PP
\&\fITobias Manthey\fR for his patches for client certificate support.
.PP
\&\fIDaisuke Kuroda\fR for adding \s-1PKCS12\s0 certificate support.
.PP
\&\fIGamid Isayev\fR for \s-1CA\s0 cert support and insights into error messaging.
.PP
\&\fIJeff Long\fR for working through a tricky \s-1CA\s0 cert SSLClientVerify issue.
.PP
\&\fIChip Turner\fR for a patch to build under perl 5.8.0.
.PP
\&\fIJoshua Chamas\fR for the time he spent maintaining the module.
.PP
\&\fIJeff Lavallee\fR for help with alarms on read failures (\s-1CPAN\s0 bug #12444).
.PP
\&\fIGuenter Knauf\fR for significant improvements in configuring things in
Win32 and Netware lands and Jan Dubois for various suggestions for
improvements.
.PP
and \fImany others\fR who provided bug reports, suggestions, fixes and
patches.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
.IP "Net::SSL" 4
.IX Item "Net::SSL"
If you have downloaded this distribution as of a dependency of another
distribution, it's probably due to this module (which is included in
this distribution).
.IP "Net::SSLeay" 4
.IX Item "Net::SSLeay"
Net::SSLeay provides access to the OpenSSL \s-1API\s0 directly
from Perl. See .
.IP "OpenSSL binary packages for Windows" 4
.IX Item "OpenSSL binary packages for Windows"
See .
.SH "SUPPORT"
.IX Header "SUPPORT"
For use of Crypt::SSLeay & Net::SSL with Perl's \s-1LWP,\s0 please
send email to libwww@perl.org .
.PP
For OpenSSL or general \s-1SSL\s0 support, including issues associated with
building and installing OpenSSL on your system, please email the OpenSSL
users mailing list at
openssl\-users@openssl.org . See
for other mailing lists
and archives.
.PP
Please report all bugs at
\&\*(L"/rt.cpan.org/NoAuth/Bugs.html?Dist=Crypt\-SSLeay\*(R"\*(L" in \*(R"http:.
.SH "AUTHORS"
.IX Header "AUTHORS"
This module was originally written by Gisle Aas, and was subsequently
maintained by Joshua Chamas, David Landgren, brian d foy and Sinan Unur.
.SH "COPYRIGHT"
.IX Header "COPYRIGHT"
Copyright (c) 2010 A. Sinan Unur
.PP
Copyright (c) 2006\-2007 David Landgren
.PP
Copyright (c) 1999\-2003 Joshua Chamas
.PP
Copyright (c) 1998 Gisle Aas
.SH "LICENSE"
.IX Header "LICENSE"
This program is free software; you can redistribute it and/or modify it
under the same terms as Perl itself.