Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Net-SSLeay CPAN distribution.

Report information
The Basics
Id:
129542
Status:
resolved
Priority:
Low/Low
Queue:

People
Owner:
chrisn [...] cpan.org
Requestors:
voegelas [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Normal
Broken in:
1.88
Fixed in:
1.89_01



Subject: www.google.com causes t/external/15_altnames.t to fail
Testing Net::SSLeay 1.88 on Slackware64-current with OpenSSL 1.1.1b fails in 15_altnames.t when connecting to www.google.com. This problem might depend on the location, which is Germany in my case. I ran the exernal tests in two locations, Stuttgart and Nuremberg. If www.google.com is replaced with, for example, www.duckduckgo.com or www.heise.de the tests pass. $ prove -v t/external/15_altnames.t t/external/15_altnames.t .. 1..9 ok 1 - connection not ok 2 - get_subjectAltNames works my @sites = qw( www.google.com www.microsoft.com www.kernel.org );
Thanks for the report, Andreas. On Sun May 12 07:15:13 2019, voegelas wrote:
Show quoted text
> Testing Net::SSLeay 1.88 on Slackware64-current with OpenSSL 1.1.1b > fails in 15_altnames.t when connecting to www.google.com. This problem > might depend on the location, which is Germany in my case. I ran the > exernal tests in two locations, Stuttgart and Nuremberg. If > www.google.com is replaced with, for example, www.duckduckgo.com or > www.heise.de the tests pass. > > $ prove -v t/external/15_altnames.t > t/external/15_altnames.t .. > 1..9 > ok 1 - connection > not ok 2 - get_subjectAltNames works > > my @sites = qw( > www.google.com > www.microsoft.com > www.kernel.org > );
This does indeed appear to depend on your location, as the test passes fine from a UK IP address --- apart from test 2, does t/external/15_altnames.t pass for you?
Hello Chris, On 12.05.19 13:36, Chris Novakovic via RT wrote:
Show quoted text
> Thanks for the report, Andreas. > > On Sun May 12 07:15:13 2019, voegelas wrote:
>> Testing Net::SSLeay 1.88 on Slackware64-current with OpenSSL 1.1.1b >> fails in 15_altnames.t when connecting to www.google.com. This problem >> might depend on the location, which is Germany in my case. I ran the >> exernal tests in two locations, Stuttgart and Nuremberg. If >> www.google.com is replaced with, for example, www.duckduckgo.com or >> www.heise.de the tests pass. >> >> $ prove -v t/external/15_altnames.t >> t/external/15_altnames.t .. >> 1..9 >> ok 1 - connection >> not ok 2 - get_subjectAltNames works >> >> my @sites = qw( >> www.google.com >> www.microsoft.com >> www.kernel.org >> );
> > This does indeed appear to depend on your location, as the test passes fine from a UK IP address --- apart from test 2, does t/external/15_altnames.t pass for you?
Yes, www.microsoft.com and www.kernel.org are tested successfully. If I connect to www.google.com with "openssl s_client -connect www.google.com:443 -servername www.google.com" I get the certificate attached in openssl.crt, which contains a subject alternative name. I added the below line to 15_altnames.t. print STDERR Net::SSLeay::PEM_get_string_X509($c); This outputs the certificate attached in perl.crt. The certificate's subject is: Subject: OU = "No SNI provided; please fix your client.", CN = invalid2.invalid The command "openssl s_client -connect www.google.com:443 -noservername" also returns the invalid certificate. www.google.com resolves to the below addresses. I've got both IPv4 and IPv6, but that doesn't seem to matter. $ host www.google.com www.google.com has address 172.217.22.100 www.google.com has IPv6 address 2a00:1450:4001:81d::2004
After auditing the external tests, we've discovered that most of them are in fact unnecessary as well as problematic for the reasons you raised, and have now removed them (the full details can be found at https://github.com/radiator-software/p5-net-ssleay/pull/155). These changes will be part of the next developer release (1.89_01), and the next stable release (1.90) after that. Thanks again for the bug report!


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.