Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 81081
Status: rejected
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: agnewtj [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: SSL failure on Ubuntu 12.10
Date: Fri, 9 Nov 2012 13:36:17 -0600
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Tom Agnew <agnewtj [...] gmail.com>
Download (untitled) / with headers
text/plain 409b
Greetings - I just encountered a bug in /usr/local/share/perl/5.14.2/IO/Socket/SSL.pm: "invalid SSL_version specified" The SSL_version is now "SSLv3 TLSv1" which fails the regexp on line 1490. I was able to hack the line as a workaround as follows.... changing: m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i to: m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))}i Regards, Tom Agnew
On Fri Nov 09 14:36:27 2012, agnewtj@gmail.com wrote: Show quoted text
> Greetings - > > I just encountered a bug in
/usr/local/share/perl/5.14.2/IO/Socket/SSL.pm: Show quoted text
> "invalid SSL_version specified" > > The SSL_version is now "SSLv3 TLSv1" which fails the regexp on line
1490. 'SSLv3 TLSv1' is not in the documented format. If you want to disable SSLv2 the best way would be to just leave the default of 'SSLv23:!SSLv2', which includes TLSv1 and SSLv3, but forbids SSLv2. Show quoted text
> > I was able to hack the line as a workaround as follows.... > ...
This workaround only makes it accept the wrong SSL_version, but will interprete it wrongly as 'SSLv3'. Contrary to older versions of IO::Socket::SSL the version parsing was changed, so that only valid values will be accept, instead of accepting anything and interpreting it in a not-intented way like old versions did. If the wrong setting comes from your application please fix it. If the setting comes from another module please notify the author and let me know, so that I would be aware of incompatible modules in case of other bug reports.
CC: behroozi [...] www.pls.uni.edu, caspian [...] dotconf.net
Subject: Re: [rt.cpan.org #81081] SSL failure on Ubuntu 12.10
Date: Fri, 09 Nov 2012 23:48:43 +0000
To: Steffen Ullrich via RT <bug-IO-Socket-SSL [...] rt.cpan.org>, agnewtj [...] gmail.com
From: agnewtj [...] gmail.com
Download (untitled) / with headers
text/plain 1.4k
Thanks for the quick reply and the helpful explanation. The error comes from the "sendEmail" package, which is formatting the SSL_version in the non-standard manner you describe. I have cc'd the author of sendEmail. Best regards, Tom Agnew On , Steffen Ullrich via RT <bug-IO-Socket-SSL@rt.cpan.org> wrote: Show quoted text
Show quoted text
> On Fri Nov 09 14:36:27 2012, agnewtj@gmail.com wrote:
Show quoted text
> > Greetings -
Show quoted text
> >
Show quoted text
> > I just encountered a bug in
Show quoted text
> /usr/local/share/perl/5.14.2/IO/Socket/SSL.pm:
Show quoted text
> > "invalid SSL_version specified"
Show quoted text
> >
Show quoted text
> > The SSL_version is now "SSLv3 TLSv1" which fails the regexp on line
Show quoted text
> 1490.
Show quoted text
> 'SSLv3 TLSv1' is not in the documented format.
Show quoted text
> If you want to disable SSLv2 the best way would be to just leave
Show quoted text
> the default of 'SSLv23:!SSLv2', which includes TLSv1 and SSLv3,
Show quoted text
> but forbids SSLv2.
Show quoted text
> >
Show quoted text
> > I was able to hack the line as a workaround as follows....
Show quoted text
> > ...
Show quoted text
> This workaround only makes it accept the wrong SSL_version, but
Show quoted text
> will interprete it wrongly as 'SSLv3'.
Show quoted text
> Contrary to older versions of IO::Socket::SSL the version parsing
Show quoted text
> was changed, so that only valid values will be accept, instead of
Show quoted text
> accepting anything and interpreting it in a not-intented way like
Show quoted text
> old versions did.
Show quoted text
> If the wrong setting comes from your application please fix it.
Show quoted text
> If the setting comes from another module please notify the author
Show quoted text
> and let me know, so that I would be aware of incompatible modules
Show quoted text
> in case of other bug reports.
Download (untitled) / with headers
text/plain 301b
Issue rejected because problem is not in IO::Socket::SSL. The caller used SSL_version parameter in a way it was not intended and documented and which also never worked like the caller intended. Due to stricter parameter checking this misconfiguratoon now throws an error. Need to be fixed in caller.
CC: Steffen Ullrich via RT <bug-IO-Socket-SSL [...] rt.cpan.org>, behroozi [...] www.pls.uni.edu
Subject: Re: [rt.cpan.org #81081] SSL failure on Ubuntu 12.10
Date: Mon, 10 Dec 2012 13:00:02 +0800
To: agnewtj [...] gmail.com
From: Brandon Zehm <caspian [...] dotconf.net>
Download (untitled) / with headers
text/plain 1.9k
I never replied, but thanks Tom. I'm traveling overseas and won't be back to a normal schedule until January. At that time I plan on getting this (and several other reported bugs/enhancments) put in place and released. Thanks for the report! Brandon On Sat, Nov 10, 2012 at 7:48 AM, <agnewtj@gmail.com> wrote: Show quoted text
> Thanks for the quick reply and the helpful explanation. The error comes > from the "sendEmail" package, which is formatting the SSL_version in the > non-standard manner you describe. > > I have cc'd the author of sendEmail. > > Best regards, > Tom Agnew > > On , Steffen Ullrich via RT <bug-IO-Socket-SSL@rt.cpan.org> wrote:
> > https://rt.cpan.org/Ticket/Display.html?id=81081 > > > > > > > > > On Fri Nov 09 14:36:27 2012, agnewtj@gmail.com wrote: > >
> > > Greetings -
> >
> > >
> >
> > > I just encountered a bug in
> > > > /usr/local/share/perl/5.14.2/IO/Socket/SSL.pm: > >
> > > "invalid SSL_version specified"
> >
> > >
> >
> > > The SSL_version is now "SSLv3 TLSv1" which fails the regexp on line
> > > > 1490. > > > > > > > > 'SSLv3 TLSv1' is not in the documented format. > > > > If you want to disable SSLv2 the best way would be to just leave > > > > the default of 'SSLv23:!SSLv2', which includes TLSv1 and SSLv3, > > > > but forbids SSLv2. > > > > > >
> > >
> >
> > > I was able to hack the line as a workaround as follows....
> >
> > > ...
> > > > > > > > This workaround only makes it accept the wrong SSL_version, but > > > > will interprete it wrongly as 'SSLv3'. > > > > Contrary to older versions of IO::Socket::SSL the version parsing > > > > was changed, so that only valid values will be accept, instead of > > > > accepting anything and interpreting it in a not-intented way like > > > > old versions did. > > > > > > > > If the wrong setting comes from your application please fix it. > > > > If the setting comes from another module please notify the author > > > > and let me know, so that I would be aware of incompatible modules > > > > in case of other bug reports. > > > >
bug closed again, not an IO::Socket::SSL issue, but bug in 3rd party module using IO::Socket::SSL


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.