Perl: SSL Communication in web applications

The following demonstrates how to create a strict SSL communication between client and server, using HTTP.
This setup could used when creating a web API which requires strong encryption and only allows clients which have a properly signed certificate.

The Apache configuration in the below example will actually require 2 web servers:

  • one proxy host, which will accept the SSL connection, verify, check for ACLs and then forward the connection unencrypted internally
  • one internal web server which will actually contain the WebAPI scripts

This article explains how to use Mojolicious for the WebAPI side and LWP::UserAgent to send and receive the WebAPI calls. We will furthermore use JSON to send and receive information.

First we need to have or create a set of OpenSSL certificates.
The below example uses self signed certificates, since they don’t cost any money and suit perfect for the purpose of this example.
There a million howto’s on the internet which explains these steps very thoroughly, so I won’t reinvent the wheel. I’m just going to post the steps I took to create:

  • a CA certificate
  • a client certificate
  • a server certificate

Next we will need to configure our web server (this example uses the Apache web server) in order to use our self signed certificates, and to proxy forward our WebAPI calls.

The above the configuration for the external proxy server. The internal web server should have a pretty straight-forward configuration:

  • a cgi-handler for the Perl extension ‘.pl’

I could have also send those proxy requests to an internal Mojolicious application, listening on a specific port. I’ll leave that for another article.

The test client script is going to make a SSL connection to the external web server, send some JSON and wait for the server to send some JSON data back. The interesting part in the below script is how to set up the SSL connection.

The server example uses the Mojolicious frame work. Mojolicious is the porn for every Perl WebAPI developer. If you don’t know it, you should be ashamed and start reading about it right away.

Example output of the test client script:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.