Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 75165
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: paul [...] city-fan.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in:
  • 1.54
  • 1.55
Fixed in: (no value)



Subject: t/dhe.t failing with OpenSSL 1.0.1 beta
I've tried building IO-Socket-SSL on the Fedora development branches, which were recently updated to have OpenSSL 1.0.1 beta. When I do so, the t/dhe.t test fails. Turning on TEST_VERBOSE and debug2, I get: DEBUG: .../IO/Socket/SSL.pm:494: no socket yet DEBUG: .../IO/Socket/SSL.pm:193: set domain to 2 DEBUG: .../IO/Socket/SSL.pm:334: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:336: socket connected DEBUG: .../IO/Socket/SSL.pm:496: accept created normal socket IO::Socket::SSL=GLOB(0x8558278) DEBUG: .../IO/Socket/SSL.pm:512: starting sslifying DEBUG: .../IO/Socket/SSL.pm:354: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:1281: SSL accept attempt failed with unknown errorerror:04075070:rsa routines:RSA_sign:digest too big for rsa key SSL error: 31249: 1 - error:1409B006:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:EVP lib DEBUG: .../IO/Socket/SSL.pm:445: connection failed - connect returned 0 t/dhe.t .................... 1..3 ok # [server] Server Initialization not ok # [server] accept failed: Failed 2/3 subtests If I revert OpenSSL to 1.0.0g, the test passes: DEBUG: .../IO/Socket/SSL.pm:494: no socket yet DEBUG: .../IO/Socket/SSL.pm:193: set domain to 2 DEBUG: .../IO/Socket/SSL.pm:334: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:336: socket connected DEBUG: .../IO/Socket/SSL.pm:496: accept created normal socket IO::Socket::SSL=GLOB(0x8cc2a0) DEBUG: .../IO/Socket/SSL.pm:354: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:512: starting sslifying DEBUG: .../IO/Socket/SSL.pm:600: handshake done, socket ready DEBUG: .../IO/Socket/SSL.pm:500: accept_SSL ok DEBUG: .../IO/Socket/SSL.pm:452: ssl handshake done t/dhe.t .................... 1..3 ok # [server] Server Initialization ok # [server] Server accepted ok # [client] client connected ok I originally suspected an OpenSSL regression so I reported it on Fedora Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=789447 However, it might also be a problem in IO-Socket-SSL or Net-SSLeay, or even if not, you might have a better idea where the problem was.
Download (untitled) / with headers
text/plain 307b
Hi, I can verify the problem with openssl 1.0.1-beta2 and Net::SSLeay 1.42. But with the latest Net::SSLeay from SVN the problem does not occure anymore. I've tried to track down the problem in the diffs but did not find anything obvious. So maybe you should talk to the Net::SSLeay folks. Regards, Steffen
From: paul [...] city-fan.org
Download (untitled) / with headers
text/plain 531b
On Tue Feb 21 03:23:31 2012, SULLR wrote: Show quoted text
> Hi, > I can verify the problem with openssl 1.0.1-beta2 and Net::SSLeay 1.42. > But with the latest Net::SSLeay from SVN the problem does not occure > anymore. I've tried to track down the problem in the diffs but did not > find anything obvious. > So maybe you should talk to the Net::SSLeay folks.
Curious; I tried patching Net-SSLeay 1.42 with the changes from revisions 281 to 303, which should give me the same as a full svn build, and it made no difference at all when I tried it.
Subject: Re: [rt.cpan.org #75165] t/dhe.t failing with OpenSSL 1.0.1 beta
Date: Tue, 21 Feb 2012 12:33:09 +0100
To: "paul [...] city-fan.org via RT" <bug-IO-Socket-SSL [...] rt.cpan.org>
From: Steffen Ullrich <Steffen_Ullrich [...] genua.de>
Download (untitled) / with headers
text/plain 701b
Show quoted text
> > Curious; I tried patching Net-SSLeay 1.42 with the changes from > revisions 281 to 303, which should give me the same as a full svn build, > and it made no difference at all when I tried it.
strange, now I it doesn't succeed on the SVN version for me anymore. Must hevae been some hiccups with library path which made it load the old libssl before probably. I'll look into the problem again. Regards, Steffen -- GeNUA Gesellschaft für Netzwerk - und Unix-Administration mbH Domagkstr. 7, D-85551 Kirchheim. http://www.genua.de Tel: (089) 99 19 50-0, Fax: (089) 99 10 50 - 999 Geschäftsführer: Dr. Magnus Harlander, Dr. Michaela Harlander, Bernhard Schneck. Amtsgericht München HRB 98238
From: paul [...] city-fan.org
Download (untitled) / with headers
text/plain 732b
On Tue Feb 21 06:33:44 2012, SULLR wrote: Show quoted text
> > > > Curious; I tried patching Net-SSLeay 1.42 with the changes from > > revisions 281 to 303, which should give me the same as a full svn build, > > and it made no difference at all when I tried it.
> > strange, now I it doesn't succeed on the SVN version for me anymore. > Must hevae been some hiccups with library path which made it load the old > libssl before probably. > I'll look into the problem again. > > Regards, > Steffen
I have discovered that if I add 'SSL_version => "TLSv1"' to the IO::Socket::SSL->new call in t/dhe.t then the test passes. Maybe what's happening is that OpenSSL is autonegotiates TLSv1.2 by default and that needs a key that's bigger than 384 bits?
From: paul [...] city-fan.org
Download (untitled) / with headers
text/plain 938b
On Sun Feb 26 07:25:15 2012, paul@city-fan.org wrote: Show quoted text
> On Tue Feb 21 06:33:44 2012, SULLR wrote:
> > > > > > Curious; I tried patching Net-SSLeay 1.42 with the changes from > > > revisions 281 to 303, which should give me the same as a full svn
build, Show quoted text
> > > and it made no difference at all when I tried it.
> > > > strange, now I it doesn't succeed on the SVN version for me anymore. > > Must hevae been some hiccups with library path which made it load
the old Show quoted text
> > libssl before probably. > > I'll look into the problem again. > > > > Regards, > > Steffen
> > I have discovered that if I add 'SSL_version => "TLSv1"' to the > IO::Socket::SSL->new call in t/dhe.t then the test passes. Maybe what's > happening is that OpenSSL is autonegotiates TLSv1.2 by default and that > needs a key that's bigger than 384 bits?
Unfortunately, specifying SSL_version (I also tried SSLv3) seems to break the test with older OpenSSL versions :-(
Download (untitled) / with headers
text/plain 544b
Show quoted text
> > I have discovered that if I add 'SSL_version => "TLSv1"' to the > > IO::Socket::SSL->new call in t/dhe.t then the test passes. Maybe what's > > happening is that OpenSSL is autonegotiates TLSv1.2 by default and that > > needs a key that's bigger than 384 bits?
> > Unfortunately, specifying SSL_version (I also tried SSLv3) seems to > break the test with older OpenSSL versions :-(
I've now (version 1.58) added a workaround be setting version to tlsv1 if openssl is >=1.0.1. Thanks for helping to solve the problem. Regards, Steffen


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.