This queue is for tickets about the Email-Send-SMTP-Gmail CPAN distribution.

Report information
The Basics
Id:
81710
Status:
resolved
Priority:
Low/Low

People
Owner:
Nobody in particular
Requestors:
blakesteel [...] gmail.com
Cc:
AdminCc:

BugTracker
Severity:
(no value)
Broken in:
(no value)
Fixed in:
(no value)



Subject: verify errors with Email-Send-SMTP-Gmail-0.32
Date: Tue, 4 Dec 2012 18:11:10 -0800
To: bug-email-send-smtp-gmail@rt.cpan.org
From: blakesteel <blakesteel@gmail.com>
Using the synopsis example code on the Email-Send-SMTP-Gmail-0.32 site, with the values altered to point to the corrent login/password/etc values, I receive the errors pasted below:


  use strict;
   use warnings;

   use Email::Send::SMTP::Gmail;

   my $mail=Email::Send::SMTP::Gmail->new( -smtp=>'smtp.gmail.com',
                                           -login=>'whateveraddress@gmail.com',
                                           -pass=>'whatever_pass');

   $mail->send(-to=>'target@xxx.com',
               -subject=>'Hello!',
               -charset=>'UTF-8'
               -verbose=>'1',
               -body=>'Just testing it',
               -attachments=>'full_path_to_file');

   $mail->bye;

connecting....
*******************************************************************
 Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
 is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
 together with SSL_ca_file|SSL_ca_path for verification.
 If you really don't want to verify the certificate and keep the
 connection open to Man-In-The-Middle attacks please set
 SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at Gmail.pm line 36.
Terminating on signal SIGINT(2)

Please advise.

On Tue Dec 04 21:11:40 2012, blakesteel@gmail.com wrote:
Show quoted text
> Using the synopsis example code on the Email-Send-SMTP-Gmail-0.32 > site, > with the values altered to point to the corrent login/password/etc > values,
Show quoted text
> ******************************************************************* > Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client > is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER > together with SSL_ca_file|SSL_ca_path for verification. > If you really don't want to verify the certificate and keep the > connection open to Man-In-The-Middle attacks please set > SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. > ******************************************************************* > at Gmail.pm line 36. > Terminating on signal SIGINT(2) > > Please advise.
Hello. Thank you for yor bug reporting. Actually, this is bug of another module (NET::SMTP::SSL) that affects SMTP::Gmail :-/ I saw it's already opened (4 days ago) https://rt.cpan.org/Public/Bug/Display.html?id=81594 BTW, here you are a temporal workaround: "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the parameters, this can be made to work again, but there appears to be no path for end users to make this operational." Regards, Peco
El Mié Dic 05 03:41:56 2012, PECO escribió:
Show quoted text
> BTW, here you are a temporal workaround: > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > parameters, this can be made to work again, but there appears to be no > path for end users to make this operational." >
Workaround: 1) at line 36 of Email::Send::SMTP::Gmail: if (not $self->{sender} = Net::SMTP::SSL->new( $smtp, Port => $port, Debug => $debug, SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, )) { die "Could not connect to SMTP server\n"; } 2) at line 40 of Net::SMTP: foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { $obj = $type->SUPER::new( %arg, PeerAddr => ($host = $h), PeerPort => $arg{Port} || 'smtp(25)', LocalAddr => $arg{LocalAddr}, LocalPort => $arg{LocalPort}, Proto => 'tcp', Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, ) and last; }
On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:
Show quoted text
> El Mié Dic 05 03:41:56 2012, PECO escribió:
> > BTW, here you are a temporal workaround: > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > parameters, this can be made to work again, but there appears to be no > > path for end users to make this operational." > >
> > Workaround: > > 1) at line 36 of Email::Send::SMTP::Gmail: > > if (not $self->{sender} = Net::SMTP::SSL->new( > $smtp, > Port => $port, > Debug => $debug, > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > )) { > die "Could not connect to SMTP server\n"; > } > > 2) at line 40 of Net::SMTP: > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > $obj = $type->SUPER::new( > %arg, > PeerAddr => ($host = $h), > PeerPort => $arg{Port} || 'smtp(25)', > LocalAddr => $arg{LocalAddr}, > LocalPort => $arg{LocalPort}, > Proto => 'tcp', > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > ) > and last; > } >
Thank you! I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with your patch. It will be available soon on CPAN and github
Subject: Re: [rt.cpan.org #81710] verify errors with Email-Send-SMTP-Gmail-0.32
Date: Thu, 24 Jan 2013 19:55:59 -0800
To: bug-Email-Send-SMTP-Gmail@rt.cpan.org
From: blakesteel <blakesteel@gmail.com>

Doesn't this defeat the point of the original patch that was causing the issue? Namely, verifying the certificate is valid to prevent man-in-the-middle attacks? Please advise.

On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" <bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote:
Show quoted text
<URL: https://rt.cpan.org/Ticket/Display.html?id=81710 >

On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:
> El Mié Dic 05 03:41:56 2012, PECO escribió:
> > BTW, here you are a temporal workaround:
> >
> > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the
> > parameters, this can be made to work again, but there appears to be no
> > path for end users to make this operational."
> >
>
> Workaround:
>
> 1) at line 36 of Email::Send::SMTP::Gmail:
>
>       if (not $self->{sender} = Net::SMTP::SSL->new(
>           $smtp,
>           Port => $port,
>           Debug => $debug,
>           SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
>       )) {
>           die "Could not connect to SMTP server\n";
>       }
>
> 2) at line 40 of Net::SMTP:
>
>       foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) {
>         $obj = $type->SUPER::new(
>           %arg,
>           PeerAddr => ($host = $h),
>           PeerPort => $arg{Port} || 'smtp(25)',
>           LocalAddr => $arg{LocalAddr},
>           LocalPort => $arg{LocalPort},
>           Proto     => 'tcp',
>           Timeout   => defined $arg{Timeout} ? $arg{Timeout} : 120,
>         )
>         and last;
>       }
>

Thank you!

I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with
your patch. It will be available soon on CPAN and github


Yes, it does :-/ Then why did I apply the patch? 1.- The warning message about SSL_verify_mode is still showing up. Advice for the user. 2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE value), he should only focus on Net::SMTP 3.- I've created ticket on libnet (the super module that includes Net::SMTP): https://rt.cpan.org/Ticket/Display.html?id=82948&results=b61a27f0d355dee2c747886eb954df4a 4.- I've inserted a comment on the libnet Github repo to try to catch their attention. https://github.com/gbarr/perl-libnet/issues/3 Is it a final solution? Obviously not. I hope they release an updated libnet shortly. Thanks On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote:
Show quoted text
> Doesn't this defeat the point of the original patch that was causing the > issue? Namely, verifying the certificate is valid to prevent > man-in-the-middle attacks? Please advise. > On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: >
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:
> > > El Mié Dic 05 03:41:56 2012, PECO escribió:
> > > > BTW, here you are a temporal workaround: > > > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > > > parameters, this can be made to work again, but there appears to
be no
Show quoted text
> > > > path for end users to make this operational." > > > >
> > > > > > Workaround: > > > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > > $smtp, > > > Port => $port, > > > Debug => $debug, > > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > > )) { > > > die "Could not connect to SMTP server\n"; > > > } > > > > > > 2) at line 40 of Net::SMTP: > > > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > > $obj = $type->SUPER::new( > > > %arg, > > > PeerAddr => ($host = $h), > > > PeerPort => $arg{Port} || 'smtp(25)', > > > LocalAddr => $arg{LocalAddr}, > > > LocalPort => $arg{LocalPort}, > > > Proto => 'tcp', > > > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > > > ) > > > and last; > > > } > > >
> > > > Thank you! > > > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with > > your patch. It will be available soon on CPAN and github > > > > > >
Subject: Re: [rt.cpan.org #81710] verify errors with Email-Send-SMTP-Gmail-0.32
Date: Fri, 25 Jan 2013 10:35:09 -0800
To: bug-Email-Send-SMTP-Gmail@rt.cpan.org
From: blakesteel <blakesteel@gmail.com>

I believe you have to expose a way for users of your module to set the certificate file and/or string used to validate the remote certificate against. Both would be useful in case someone wants to use a string or a file. I don't think a patch in this regard is going to be forthcoming from the lower level library. It is going to have to be provided on your end. In the meantime although the current patch temporarily solves our ability to use the module, it again reintroduces the vulnerability whose intent it was to eliminate that caused this incompatibility in the first place.

Thanks for your attention to this issue.

On Jan 25, 2013 2:09 AM, "Juan Jose San Martin via RT" <bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote:
Show quoted text
<URL: https://rt.cpan.org/Ticket/Display.html?id=81710 >

Yes, it does :-/
Then why did I apply the patch?

1.- The warning message about SSL_verify_mode is still showing up.
Advice for the user.
2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE
value), he should only focus on Net::SMTP
3.- I've created ticket on libnet (the super module that includes
Net::SMTP):
https://rt.cpan.org/Ticket/Display.html?id=82948&amp;results=b61a27f0d355dee2c747886eb954df4a
4.- I've inserted a comment on the libnet Github repo to try to catch
their attention. https://github.com/gbarr/perl-libnet/issues/3

Is it a final solution?
Obviously not. I hope they release an updated libnet shortly.

Thanks

On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote:
> Doesn't this defeat the point of the original patch that was causing the
> issue? Namely, verifying the certificate is valid to prevent
> man-in-the-middle attacks? Please advise.
> On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" <
> bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote:
>
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 >
> >
> > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:
> > > El Mié Dic 05 03:41:56 2012, PECO escribió:
> > > > BTW, here you are a temporal workaround:
> > > >
> > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the
> > > > parameters, this can be made to work again, but there appears to
be no
> > > > path for end users to make this operational."
> > > >
> > >
> > > Workaround:
> > >
> > > 1) at line 36 of Email::Send::SMTP::Gmail:
> > >
> > >       if (not $self->{sender} = Net::SMTP::SSL->new(
> > >           $smtp,
> > >           Port => $port,
> > >           Debug => $debug,
> > >           SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
> > >       )) {
> > >           die "Could not connect to SMTP server\n";
> > >       }
> > >
> > > 2) at line 40 of Net::SMTP:
> > >
> > >       foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) {
> > >         $obj = $type->SUPER::new(
> > >           %arg,
> > >           PeerAddr => ($host = $h),
> > >           PeerPort => $arg{Port} || 'smtp(25)',
> > >           LocalAddr => $arg{LocalAddr},
> > >           LocalPort => $arg{LocalPort},
> > >           Proto     => 'tcp',
> > >           Timeout   => defined $arg{Timeout} ? $arg{Timeout} : 120,
> > >         )
> > >         and last;
> > >       }
> > >
> >
> > Thank you!
> >
> > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with
> > your patch. It will be available soon on CPAN and github
> >
> >
> >



Hello. Due to lack of response from Net::SMTP::SSL, we added TLS support using Net::SMTP::TLS::ButMaintained Then, from release 0.40, Gmail.pm uses TLS with Auth as its default method to connect to SMTP. SSL is also available The module maintains backward compatibility from the viewpoint of the exported subs and its arguments Doc updated Perlcritic passed Thanks El Vie Ene 25 13:35:21 2013, blakesteel@gmail.com escribió:
Show quoted text
> I believe you have to expose a way for users of your module to set the > certificate file and/or string used to validate the remote certificate > against. Both would be useful in case someone wants to use a string or > a > file. I don't think a patch in this regard is going to be forthcoming > from > the lower level library. It is going to have to be provided on your > end. In > the meantime although the current patch temporarily solves our ability > to > use the module, it again reintroduces the vulnerability whose intent > it was > to eliminate that caused this incompatibility in the first place. > > Thanks for your attention to this issue. > On Jan 25, 2013 2:09 AM, "Juan Jose San Martin via RT" < > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: >
> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > Yes, it does :-/ > > Then why did I apply the patch? > > > > 1.- The warning message about SSL_verify_mode is still showing up. > > Advice for the user. > > 2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE > > value), he should only focus on Net::SMTP > > 3.- I've created ticket on libnet (the super module that includes > > Net::SMTP): > > > >
> https://rt.cpan.org/Ticket/Display.html?
id=82948&results=b61a27f0d355dee2c747886eb954df4a
Show quoted text
> > 4.- I've inserted a comment on the libnet Github repo to try to
> catch
> > their attention. https://github.com/gbarr/perl-libnet/issues/3 > > > > Is it a final solution? > > Obviously not. I hope they release an updated libnet shortly. > > > > Thanks > > > > On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote:
> > > Doesn't this defeat the point of the original patch that was
> causing the
> > > issue? Namely, verifying the certificate is valid to prevent > > > man-in-the-middle attacks? Please advise. > > > On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < > > > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: > > >
> > > > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > > > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:
> > > > > El Mié Dic 05 03:41:56 2012, PECO escribió:
> > > > > > BTW, here you are a temporal workaround: > > > > > > > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of
> the
> > > > > > parameters, this can be made to work again, but there
> appears to
> > be no
> > > > > > path for end users to make this operational." > > > > > >
> > > > > > > > > > Workaround: > > > > > > > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > > > > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > > > > $smtp, > > > > > Port => $port, > > > > > Debug => $debug, > > > > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > > > > )) { > > > > > die "Could not connect to SMTP server\n"; > > > > > } > > > > > > > > > > 2) at line 40 of Net::SMTP: > > > > > > > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > > > > $obj = $type->SUPER::new( > > > > > %arg, > > > > > PeerAddr => ($host = $h), > > > > > PeerPort => $arg{Port} || 'smtp(25)', > > > > > LocalAddr => $arg{LocalAddr}, > > > > > LocalPort => $arg{LocalPort}, > > > > > Proto => 'tcp', > > > > > Timeout => defined $arg{Timeout} ? $arg{Timeout} :
> 120,
> > > > > ) > > > > > and last; > > > > > } > > > > >
> > > > > > > > Thank you! > > > > > > > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33)
> with
> > > > your patch. It will be available soon on CPAN and github > > > > > > > > > > > >
> > > > > > > >


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.