Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 63743
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

Owner: Nobody in particular
Requestors: carnil [...]

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Subject: verify_callback invoked 3 times per connection
Date: Wed, 8 Dec 2010 16:46:42 +0100
To: bug-IO-Socket-SSL [...]
From: Salvatore Bonaccorso <carnil [...]>
Download (untitled) / with headers
text/plain 4.2k
Hi Steffen Daniel Kahn Gillmor reported an obvervation on invoking a supplied verify_callback on [1]. Do you have a comment on this? Thanks in advance, and thanks for developping IO::Socket::SSL. Bests Salvatore [1] ----- Forwarded message from Daniel Kahn Gillmor <> ----- From: Daniel Kahn Gillmor <> Resent-From: Daniel Kahn Gillmor <> Reply-To: Daniel Kahn Gillmor <>, X-Mailer: reportbug 4.12.6 Date: Tue, 07 Dec 2010 14:45:02 -0500 To: Debian Bug Tracking System <> Subject: Bug#606249: libio-socket-ssl-perl: verify_callback invoked 3 times per connection Package: libio-socket-ssl-perl Version: 1.35-1 Severity: normal If i supply a verify_callback, i find it gets invoked three times for a single connection, if the callback is approved each time (if the callback ever fails, it looks like it shortcuts the repeated verify attempts). This is surprising to me. if it is intentional, i think it should be better-documented at least. If it is not intentional, it's possible that the bug is in Net::SSLeay, or even further down in the stack. Feel free to re-assign as you see fit. Attached is a simple test case if you want to verify for yourself. when i run it i get: 0 dkg@pip:~/tmp$ ./ DEBUG: .../IO/Socket/ new ctx 163340976 DEBUG: .../IO/Socket/ socket not yet connected DEBUG: .../IO/Socket/ socket connected DEBUG: .../IO/Socket/ ssl handshake not started DEBUG: .../IO/Socket/ ok=0 cert=163571568 verify called (7 ok) DEBUG: .../IO/Socket/ ok=0 cert=163571568 verify called (7 ok) DEBUG: .../IO/Socket/ ok=1 cert=163146456 verify called (7 ok) DEBUG: .../IO/Socket/ Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/ ssl handshake done DEBUG: .../IO/Socket/ free ctx 163340976 open=163340976 DEBUG: .../IO/Socket/ free ctx 163340976 callback DEBUG: .../IO/Socket/ OK free ctx 163340976 got 8271 characters 0 dkg@pip:~/tmp$ thanks for maintaining IO::Socket::SSL in debian! --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libio-socket-ssl-perl depends on: ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay ii netbase 4.43 Basic TCP/IP networking system ii perl 5.10.1-16 Larry Wall's Practical Extraction Versions of packages libio-socket-ssl-perl recommends: ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn Versions of packages libio-socket-ssl-perl suggests: pn libio-socket-inet6-perl <none> (no description available) -- no debconf information #!/usr/bin/perl use IO::Socket::SSL 1.35 qw(debug3); use Net::SSLeay; use LWP::Simple; use warnings; use strict; # perversely reject connections 10% of the time, based on the wall clock: sub verify { my $x = (time() % 10); if ($x > 0) { printf("verify called (%d ok)\n", $x); return 1; } else { printf("verify called (%d nope)\n", $x); return 0; } } IO::Socket::SSL::set_ctx_defaults( verify_callback => sub { return verify(@_); }, verify_mode => 0x03, # this argument is irrelevant, but currently required -- see ca_path => '.', ); my $content = LWP::Simple::get(''); if (defined($content)) { printf("got %d characters\n", length($content)); } else { printf("connection failed\n"); } Show quoted text
_______________________________________________ pkg-perl-maintainers mailing list
----- End forwarded message -----
text/x-perl 946b

Message body is not shown because sender requested not to inline it.

Download signature.asc
application/pgp-signature 835b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 244b
the verify_callback behaves like defined in openssl, e.g. it is invoked for each element in the certificate chain. See for more documentation. I will try to make the documentation clearer

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to