Background:

In some PHP code dealing with a 3rd party web-service, the following code works:

// connect to web-service
$remote_addr = "tcp://{$data['ip']}:{$data['port']}";
$socket = stream_socket_client($remote_addr, $errno, $errstr, 30);
if (!$socket) throw "Couldn't create socket: $errstr\n";

// configure SSL options on socket
stream_context_set_option($socket, 'ssl', 'local_cert', $data['cert']);
stream_context_set_option($socket, 'ssl', 'verify_peer', false);
stream_context_set_option($socket, 'ssl', 'allow_self_signed', true);
stream_context_set_option($socket, 'ssl', 'cafile', $data['cafile']);

// do SSL handshake
stream_set_blocking ($socket, true);
stream_socket_enable_crypto ($socket, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT);
stream_set_blocking ($socket, false);

//... start talking HTTP

We go on to wrap this PHP code in our own JSON-RPC web-service in order to call it from an in-house management system, written in Perl.

In profiling this “solution”, I’ve discovered that I could greatly improve performance by removing the Perl-PHP (via HTTP) indirection. I’ve tried porting the code to Perl but have had issues matching the SSL options.

I’m using the $ua->ssl_opts() method of LWP::UserAgent to pass the correct options down to Net::SSL (Crypt::SSLeay). I’ve been using strace to determine whether the certificates are being read, and it looks like they are. However, I’m not sure whether Net::SSL succeeds in reading the key from the PEM.

Question:

What specific $ua->ssl_opts() arguments do I need to match the behaviour of the PHP code?

Notes:

• $data['cert'] is the full path to a PEM file containing
  • Our “client” certificate – issued by the 3rd party
  • Our non-encrypted (RSA) private key – issued by the 3rd party

• $data['cafile'] is the full path to the self-signed signing certificate – issued by the 3rd party
• I’m not looking for security advice about the plaintext nature of the private key.