Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 74159
Status: rejected
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: AHARRISON [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in:
  • 1.14
  • 1.15
  • 1.16
  • 1.16_1
  • 1.16_2
  • 1.16_3
  • 1.17
  • 1.18
  • 1.19
  • 1.20
  • 1.21
  • 1.22
  • 1.23
  • 1.24
  • 1.25
  • 1.26
  • 1.27
  • 1.28
  • 1.29
  • 1.30
  • 1.30_2
  • 1.30_3
  • 1.31
  • 1.32
  • 1.33
  • 1.34
  • 1.35
  • 1.36
  • 1.37
  • 1.38
  • 1.39
  • 1.40
  • 1.41
  • 1.42
  • 1.43
  • 1.43_1
  • 1.44
  • 1.45
  • 1.46
  • 1.47
  • 1.48
  • 1.49
  • 1.50
  • 1.51
  • 1.52
  • 1.53
  • 1.54
Fixed in: (no value)



Subject: "Cannot determine peer hostname for verification"
Download (untitled) / with headers
text/plain 3.5k
I'm still getting these errors with the latest version of IO::Socket::SSL when using it with Net::LDAP and start_tls. Here's a Data::Dump of the plain Net::LDAP object after the start_tls: (I altered the actual hostnames seen here) "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)"do { require Symbol; my $a = bless({ callback => undef, controls => undef, ctrl_hash => undef, errorMessage => "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)", matchedDN => "", mesgid => 1, parent => bless({ net_ldap_async => 0, net_ldap_debug => 0, net_ldap_host => "ldap-server.example.com", net_ldap_mesg => {}, net_ldap_port => 389, net_ldap_refcnt => 1, net_ldap_resp => {}, net_ldap_scheme => "ldap", net_ldap_socket => bless(Symbol::gensym(), "IO::Socket::INET"), net_ldap_uri => "ldap-server.example.com:389", net_ldap_version => 3, }, "Net::LDAP"), raw => undef, resultCode => 1, }, "Net::LDAP::Extension"); *{$a->{parent}{net_ldap_socket}} = { _SSL_last_err => "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)", io_socket_domain => 2, io_socket_proto => 6, io_socket_timeout => 120, io_socket_type => 1, }; $a; Here's the code to I tested with: #!/mc/apps/perl/current/bin/perl use Data::Dump; use Net::LDAP; my $ldap = Net::LDAP->new( 'ldap-server.example.com:389' ); my $mesg = $ldap->start_tls( verify => 'require', capath => '/usr/local/etc/openldap/certs' ); print Data::Dump::dump($mesg); I'm using Net::LDAP 0.43. One-by-one I kept back reving IO::Socket::SSL finally settling on 1.13 which worked. My Net::SSLeay versions tried were between 1.36 and 1.42. My perl version is 5.14.2, which I compiled with perlbrew. (Details attached so as not to clutter this ticket any more than I have...). Operating system doesn't seem to matter, I get the same problem on an old CentOS 5.2 server as well as my opensuse 12.1 desktop. I also get the same problem whether I use one of my custom perlbrew builds or the stock os perl installation. The certificate used by my openldap server is a self signed wildcard cert (*.example.com). The issuers of both the server and client certs are exactly identical. In the client cert, the subject and issuer fields are identical. In the server cert, subject differs in that the CN attribute is *.example.com. Certificate details: # openssl x509 -noout -in /path/to/wildcard-LDAP.crt -subject -issuer subject= /C=US/ST=New Hampshire/L=Fake/O=Department/CN=*.example.com issuer= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net # openssl x509 -noout -in /path/to/client-LDAP.crt -subject -issuer subject= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net issuer= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net (I was careful in falsifying the information so as to preserve the differences, like with the .com vs. .net tld related to the email address, just in case that matters.)
Subject: perlbrew-details.txt
The details of my perl build: ------------------------------- Summary of my perl5 (revision 5 version 14 subversion 2) configuration: Platform: osname=linux, osvers=2.6.18-92.1.6.el5, archname=x86_64-linux-thread-multi uname='linux maple 2.6.18-92.1.6.el5 #1 smp wed jun 25 13:45:47 edt 2008 x86_64 x86_64 x86_64 gnulinux ' config_args='-de -Dprefix=/mc/apps/perl/current/perls/perl-5.14.2 -Dusethreads -Dnoextensions=ODB_File -Adefine:installscript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:installsitescript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:scriptdir=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:scriptdirexp=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:sitescript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:sitescriptexp=/mc/apps/perl/current/perls/perl-5.14.2/bin' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.1.2 20071124 (Red Hat 4.1.2-42)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64 /usr/local/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.5.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.5' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API Built under linux Compiled at Dec 27 2011 21:22:34 %ENV: PERLBREW_HOME="/root/.perlbrew" PERLBREW_PATH="/mc/apps/perl/current/bin:/mc/apps/perl/current/perls/perl-5.14.2/bin" PERLBREW_PERL="perl-5.14.2" PERLBREW_ROOT="/mc/apps/perl/current" PERLBREW_VERSION="0.27" PERL_CPANM_OPT="--mirror http://mirror.metrocast.net/cpan/" @INC: /mc/apps/perl/current/perls/perl-5.14.2/lib/site_perl/5.14.2/x86_64-linux-thread-multi /mc/apps/perl/current/perls/perl-5.14.2/lib/site_perl/5.14.2 /mc/apps/perl/current/perls/perl-5.14.2/lib/5.14.2/x86_64-linux-thread-multi /mc/apps/perl/current/perls/perl-5.14.2/lib/5.14.2
Download (untitled) / with headers
text/plain 954b
from what I see Net::LDAP does the following, in case you first do a ldap connect and the upgrade to TLS: - you call Net::LDAP->new(host) - new calls connect_ldap - connect_ldap creates IO::Socket::INET object which then connects to the server and stores the socket as net_ldap_socket, the hostname gets stored in net_ldap_host - then you call $ldap->start_tls(..) - this calls IO::Socket::SSL::start_SSL with various parameters, but NOT with the hostname of the server - IO::Socket::SSL tries to get hostname from the IO::Socket::INET object (PeerAddr) and fails and has thus no way to verify the hostname The reason this fails since 1.14 is, that 1.14 introduced the hostname checking: | - added support for verification of hostname from certificate | .. Since I don't have any ldap server for testing I can only suggest the attached diff to LDAP.pm, maybe it works. If yes, please forward it to the Net::LDAP maintainer. Regards, Steffen
Subject: LDAP.pm.diff
Download LDAP.pm.diff
text/x-diff 497b
--- LDAP.pm.orig 2012-01-19 18:08:05.697495225 +0100 +++ LDAP.pm 2012-01-19 18:10:58.333489820 +0100 @@ -1035,7 +1035,10 @@ my $sock_class = ref($sock); return $mesg - if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)}); + if IO::Socket::SSL->start_SSL($sock, { + _SSL_context_init_args($arg), + SSL_verifycn_name => $ldap->{net_ldap_host}, + }); my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
Download (untitled) / with headers
text/plain 373b
Thanks Steffen. That fix didn't quite do the trick, but it definitely got me barking up the right tree. I found this patch from a few months ago by Peter Marschall to Net::LDAP that gets things working perfectly. Posting it here for anyone else who might come looking for answers. https://github.com/gbarr/perl- ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
Reference to Net::LDAP patch documented.
Download (untitled) / with headers
text/plain 246b
Show quoted text
> > https://github.com/gbarr/perl- > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
it's not the repository of gbarr, but marschap. The correct URL is: https://github.com/marschap/perl-ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
Download (untitled) / with headers
text/plain 518b
On Fri Jan 20 01:56:41 2012, SULLR wrote: Show quoted text
>
> > > > https://github.com/gbarr/perl- > > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
> > it's not the repository of gbarr, but marschap. > The correct URL is: > https://github.com/marschap/perl- > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
As you can see, the url's reference the same commit. Regardless, Graham already pulled the change into his 'next' branch and fixed the typo in Peter's commit, so the gbarr url is the appropriate repository.
Bug rejected, because not caused by IO::Socket::SSL


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.