Answer Browser Request with IO::Socket::SSL

Question

Question formulated in the end, first detailed description of the problem and what I have tested already

I'm writing some code to showcase some basic principles to others. The code will never be productive and simplification is intended.

My goal (appart from others) is to write a simple application which uses a Web-Certificat to encrypt its network traffic.

The starting point is an application which does not encrypt:

#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket::INET;

# auto-flush on socket
$| = 1;

# creating a listening socket
my $socket = new IO::Socket::INET (
    LocalAddr     => '0.0.0.0',     # local server address
    LocalPort     => '7777',        # local server port
    Listen        => 5,             # queue size for connections
    Proto         => 'tcp',         # protocol used
);
die "cannot create socket $!\n" unless $socket;
print "server waiting for client connection on port 7777\n";

while(1)
{
    # waiting for a new client connection
    my $client_socket = $socket->accept() or die "socket accept failed $!";

    # get information about a newly connected client
    my $client_address = $client_socket->peerhost();
    my $client_port    = $client_socket->peerport();
    print "connection from $client_address:$client_port\n";

    # read up to 1024 characters from the connected client
    my $client_data = '';
    sysread( $client_socket, $client_data, 1024);
    print "received data: $client_data\n";

    # write response data to the connected client
    print $client_socket "Hey $client_data!";

    # notify client that response has been sent
    shutdown($client_socket, 1);
}

END {
    $socket->close();
}

This Server-Application can be called with this Client:

#!/usr/bin/env perl
use IO::Socket::INET;

# auto-flush on socket
$| = 1;

# create a connecting socket
my $socket = new IO::Socket::INET (
    PeerHost    => '127.0.0.1',
    PeerPort    => '7777',
    Proto       => 'tcp',
);
die "cannot connect to the server $!\n" unless $socket;
print "connected to the server\n";

# data to send to a server
my $req = $ARGV[0] . '';
print $socket $req;

# notify server that request has been sent
shutdown($socket, 1);

# receive a response of up to 1024 characters from server
my $response = '';
sysread( $socket, $response,1024);
print "received response: $response\n";

$socket->close();

An interaction of Client and Server could look like this:

inet$ perl server.pl
server waiting for client connection on port 7777
connection from 127.0.0.1:40028
received data: Herbert

inet$ perl client.pl "Herbert"
connected to the server
received response: Hey Herbert!

The cool thing is: The server can also be called from a browser:

So the first conclusion: The code works and is good to showcase basic functionality of a simple Client-Server interaction.

Now the Programs should use SSL to communicate

The Server and Client are written so, that SSL-Ability can be achieved by just adding a few lines in the code:

$ diff inet/server.pl ssl/server.pl 
7c7
< use IO::Socket::INET;
---
> use IO::Socket::SSL 'inet4';
13c13
< my $socket = new IO::Socket::INET (
---
> my $socket = IO::Socket::SSL->new (
17a18,19
>     SSL_cert_file => 'cert.pem',    # SSL certificate   
>     SSL_key_file  => 'key.pem',     # SSL certificate key

$ diff inet/client.pl ssl/client.pl 
5c5
< use IO::Socket::INET;
---
> use IO::Socket::SSL 'inet4';
11c11
< my $socket = new IO::Socket::INET (
---
> my $socket = new IO::Socket::SSL (
14a15
>     SSL_ca_file => 'cert.pem',

So the new SSL enabled code is:

#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket::SSL 'inet4';

# auto-flush on socket
$| = 1;

# creating a listening socket
my $socket = IO::Socket::SSL->new (
    LocalAddr     => '0.0.0.0',     # local server address
    LocalPort     => '7777',        # local server port
    Listen        => 5,             # queue size for connections
    Proto         => 'tcp',         # protocol used
    SSL_cert_file => 'cert.pem',    # SSL certificate   
    SSL_key_file  => 'key.pem',     # SSL certificate key
);
die "cannot create socket $!\n" unless $socket;
print "server waiting for client connection on port 7777\n";

while(1)
{
    # waiting for a new client connection
    my $client_socket = $socket->accept() or die "socket accept failed $!";

    # get information about a newly connected client
    my $client_address = $client_socket->peerhost();
    my $client_port    = $client_socket->peerport();
    print "connection from $client_address:$client_port\n";

    # read up to 1024 characters from the connected client
    my $client_data = '';
    sysread( $client_socket, $client_data, 1024);
    print "received data: $client_data\n";

    # write response data to the connected client
    print $client_socket "Hey $client_data!";

    # notify client that response has been sent
    shutdown($client_socket, 1);
}

END {
    $socket->close();
}

and

#!/usr/bin/env perl
use IO::Socket::SSL 'inet4';

# auto-flush on socket
$| = 1;

# create a connecting socket
my $socket = new IO::Socket::SSL (
    PeerHost    => '127.0.0.1',
    PeerPort    => '7777',
    Proto       => 'tcp',
    SSL_ca_file => 'cert.pem',
);
die "cannot connect to the server $!\n" unless $socket;
print "connected to the server\n";

# data to send to a server
my $req = $ARGV[0] . '';
print $socket $req;

# notify server that request has been sent
shutdown($socket, 1);

# receive a response of up to 1024 characters from server
my $response = '';
sysread( $socket, $response,1024);
print "received response: $response\n";

$socket->close();

To run the code, a certificate has to be created first:

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365

Now Server and Client can be started and interact nicely:

ssl$ perl server.pl 
Enter PEM pass phrase:
server waiting for client connection on port 7777
connection from 127.0.0.1:40041
received data: Sabine

ssl$ perl client.pl "Sabine"
connected to the server
received response: Hey Sabine!

But what does not work is a connection from a browser like Firefox or Chrome, even though I converted the certificate using:

openssl pkcs12 -export -in cert.pem -inkey key.pem -out webcert.p12

I also imported the newly created certificate into the browser over its import menu.

The connection just gets refused. The browser can't connect and the server fails at $socket->accept() without any helpful message.
UPDATE: There is a message in the exported variable $SSL_ERROR:

SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

I did some testing with the tool analyze ssl

p5-ssl-tools-master$ perl analyze-ssl.pl --show-chain --all-ciphers -v3 127.0.0.1:7777
+ checking host=127.0.0.1(127.0.0.1) port=7777
* version SSLv23 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version SSLv23 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_2 no verification, ciphers= -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_2 no verification, ciphers=HIGH:ALL -> TLSv1_2,ECDHE-RSA-AES128-GCM-SHA256
* version TLSv1_1 no verification, ciphers= -> TLSv1_1,ECDHE-RSA-AES256-SHA
* version TLSv1_1 no verification, ciphers=HIGH:ALL -> TLSv1_1,ECDHE-RSA-AES256-SHA
* version TLSv1 no verification, ciphers= -> TLSv1,ECDHE-RSA-AES256-SHA
* version TLSv1 no verification, ciphers=HIGH:ALL -> TLSv1,ECDHE-RSA-AES256-SHA
* version SSLv3, no verification, ciphers= -> FAIL! SSL connect attempt failed because of handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
+ 127.0.0.1 failed permanently 'tcp connect: Verbindungsaufbau abgelehnt', no more IP to try
tcp connect: Verbindungsaufbau abgelehnt

The server seems to accept certain requests and fails at the end, maybe in the same way as with the browser?

ssl$ perl server.pl 
Enter PEM pass phrase:
server waiting for client connection on port 7777
connection from 127.0.0.1:40042
received data: 
connection from 127.0.0.1:40043
received data: 
connection from 127.0.0.1:40044
received data: 
connection from 127.0.0.1:40045
received data: 
connection from 127.0.0.1:40046
received data: 
connection from 127.0.0.1:40047
received data: 
connection from 127.0.0.1:40048
received data: 
connection from 127.0.0.1:40049
received data: 
socket accept failed  at server.pl line 27.

My Question

Why is the request with the browser not working? The code should support a browser request in general since it works without SSL. It seems to be a browser specific SSL setting since the SSL-Perl-Client has no problem. Or is the import of the certificate into the browser not working as intended? Can anyone give me a hint or solution in this matter?

UPDATE: When I look at the error message "SSL23" in $SSL_ERROR and the error message in the client test "SSL3" there seems to be a compatibility problem with SSL versions? Do I need to specify explicitly which version I want? (On the other hand the Client-Test for "SSL23" seems to run through successfully...)

Thanks a lot.

UPDATE: Output with $IO::Socket::SSL::DEBUG = 3;

ssl$ perl server.pl 
Enter PEM pass phrase:
DEBUG: .../IO/Socket/SSL.pm:2554: new ctx 42708208
server waiting for client connection on port 7777
DEBUG: .../IO/Socket/SSL.pm:799: no socket yet
DEBUG: .../IO/Socket/SSL.pm:801: accept created normal socket IO::Socket::SSL=GLOB(0x28ac158)
DEBUG: .../IO/Socket/SSL.pm:829: starting sslifying
DEBUG: .../IO/Socket/SSL.pm:873: Net::SSLeay::accept -> -1
DEBUG: .../IO/Socket/SSL.pm:1779: SSL accept attempt failed

DEBUG: .../IO/Socket/SSL.pm:1784: SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
socket accept failed: SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request at server.pl line 28.
DEBUG: .../IO/Socket/SSL.pm:2587: free ctx 42708208 open=42708208
DEBUG: .../IO/Socket/SSL.pm:2599: OK free ctx 42708208

Answer 1

... SSL accept attempt failed error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

My guess is that you still use a http:// URL to access the server even though you would need to use a https:// URL. This means that the browser sends a HTTP request to the server instead of first doing the TLS handshake and only sending the HTTP request after the successful handshake.

Apart from that you count on the browser understanding the old and long deprecated HTTP 0.9 protocol which consists of only the response body without any HTTP header. Not all browser understand this.