Don't work for some sites
use strict;
use IO::Socket::SSL;
my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https")
|| warn "I encountered a problem:
".IO::Socket::SSL::errstr();
print $client "GET / HTTP/1.0\r\n\r\n";
print <$client>;
(curl and firefox work fine)
See also https://rt.cpan.org/Ticket/Display.html?id=70467
Bug #82992 for IO-Socket-SSL: Don't work with some sites
This queue is for tickets about the IO-Socket-SSL CPAN distribution.
Report information
The Basics
People
Owner:
Nobody in particular
Requestors:
victor [...] vsespb.ru
Cc:
AdminCc:
BugTracker
Severity:
(no value)
Broken in:
1.81
Fixed in:
(no value)
(prints I encountered a problem: IO::Socket::INET configuration failed
error:00000000:lib(0):func(0):reason(0) at x2.pl line 3.
)
On Mon Jan 28 05:07:41 2013, vsespb wrote:
Show quoted text
> Don't work for some sites
>
> use strict;
> use IO::Socket::SSL;
> my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https")
> || warn "I encountered a problem:
> ".IO::Socket::SSL::errstr();
> print $client "GET / HTTP/1.0\r\n\r\n";
> print <$client>;
>
>
> (curl and firefox work fine)
>
> See also https://rt.cpan.org/Ticket/Display.html?id=70467
Sun Jan 27 20:09:18 2013
victor [...] vsespb.ru - Subject changed from (no value) to 'Don't work with some sites'
Hi,
I can't reproduce the problem with the given code.
This code implicitly assumes SSL_verify_mode of 0 (and issues a warning
about it) but connects w/o problems.
I assume, that your real code somehow sets SSL_verify_mode to 1.
In this case the connect will fail unless you have also set an
SSL_ca_path containing the right CA certificates.
On Sun Jan 27 20:07:41 2013, vsespb wrote:
Show quoted text
> Don't work for some sites
>
> use strict;
> use IO::Socket::SSL;
> my $client = IO::Socket::SSL-
>new("www.enrich.malaysiaairlines.com:https")
> || warn "I encountered a problem:
> ".IO::Socket::SSL::errstr();
> print $client "GET / HTTP/1.0\r\n\r\n";
> print <$client>;
>
>
> (curl and firefox work fine)
>
> See also https://rt.cpan.org/Ticket/Display.html?id=70467
That was actually my real code. It fails on one of my servers and works
fine on another.
Also this ticket https://rt.cpan.org/Ticket/Display.html?id=70467
absolutely reproducable. (erro in same line)
On Mon Jan 28 11:49:10 2013, SULLR wrote:
Show quoted text
> Hi,
> I can't reproduce the problem with the given code.
> This code implicitly assumes SSL_verify_mode of 0 (and issues a warning
> about it) but connects w/o problems.
> I assume, that your real code somehow sets SSL_verify_mode to 1.
> In this case the connect will fail unless you have also set an
> SSL_ca_path containing the right CA certificates.
>
> On Sun Jan 27 20:07:41 2013, vsespb wrote:
> > Don't work for some sites
> >
> > use strict;
> > use IO::Socket::SSL;
> > my $client = IO::Socket::SSL-
> >new("www.enrich.malaysiaairlines.com:https")
> > || warn "I encountered a problem:
> > ".IO::Socket::SSL::errstr();
> > print $client "GET / HTTP/1.0\r\n\r\n";
> > print <$client>;
> >
> >
> > (curl and firefox work fine)
> >
> > See also https://rt.cpan.org/Ticket/Display.html?id=70467
>
>
On Mon Jan 28 05:12:10 2013, vsespb wrote:
Show quoted text
> That was actually my real code. It fails on one of my servers and works
> fine on another.
could you please provide me with some more details about the environment, where it fails, and also about the system, where it succeeds, e.g:
use strict;
use IO::Socket::SSL;
printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n",
$^V,
$IO::Socket::SSL::VERSION,
$Net::SSLeay::VERSION,
Net::SSLeay::OPENSSL_VERSION_NUMBER();
And could you please set $IO::Socket::SSL::DEBUG=10 in your code and send me the output, so that one can better see, where it fails.
ONE SERVER:
$ perl poc.pl
perl=v5.10.1 IO:Socket::SSL=1.81 Net::SSLeay=1.52 openssl=9080bf
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
at poc.pl line 6.
DEBUG: .../IO/Socket/SSL.pm:1702: new ctx 7860368
DEBUG: .../IO/Socket/SSL.pm:411: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:413: socket connected
DEBUG: .../IO/Socket/SSL.pm:431: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:492: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1373: SSL connect attempt failed with
unknown error error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
alert unexpected message
DEBUG: .../IO/Socket/SSL.pm:498: fatal SSL error: SSL connect attempt
failed with unknown error error:140773F2:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
DEBUG: .../IO/Socket/SSL.pm:1373: IO::Socket::INET configuration failed
error:00000000:lib(0):func(0):reason(0)
DEBUG: .../IO/Socket/SSL.pm:1739: free ctx 7860368 open=7860368
DEBUG: .../IO/Socket/SSL.pm:1747: OK free ctx 7860368
I encountered a problem:IO::Socket::INET configuration failed
error:00000000:lib(0):func(0):reason(0) at poc.pl line 6.
Can't use string ("1") as a symbol ref while "strict refs" in use at
poc.pl line 7.
$ cat poc.pl
use strict;
use IO::Socket::SSL;
$IO::Socket::SSL::DEBUG=10;
printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", $^V,
$IO::Socket::SSL::VERSION, $Net::SSLeay::VERSION,
Net::SSLeay::OPENSSL_VERSION_NUMBER();
my $client =
IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") || warn "I
encountered a problem:".IO::Socket::SSL::errstr();
print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>;
ANOTHER SERVER:
$ perl poc.pl
perl=v5.14.2 IO:Socket::SSL=1.81 Net::SSLeay=1.42 openssl=1000005f
DEBUG: .../IO/Socket/SSL.pm:238: set domain to 2
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
at poc.pl line 6
DEBUG: .../IO/Socket/SSL.pm:1702: new ctx 139587136
DEBUG: .../IO/Socket/SSL.pm:411: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:413: socket connected
DEBUG: .../IO/Socket/SSL.pm:431: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:492: Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:547: ssl handshake done
write_all VM at entry=vm_unknown
partial `GET / HTTP/1.0
'
written so far 18:18 bytes (VM=vm_unknown)
HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"161-1347965911198"
Last-Modified: Tue, 18 Sep 2012 10:58:31 GMT
Content-Type: text/html
Content-Length: 161
Date: Mon, 28 Jan 2013 10:45:31 GMT
Connection: close
Server: Anonymous Server
<html>
<head>
<meta http-equiv="refresh"
content="0;URL=https://www.enrich.malaysiaairlines.com/EnrichWebsite/">
</head>
<body>
</body>
DEBUG: .../IO/Socket/SSL.pm:1739: free ctx 139587136 open=139587136
DEBUG: .../IO/Socket/SSL.pm:1747: OK free ctx 139587136
</html>root@li488-134:/tmp
$ cat poc.pl
use strict;
use IO::Socket::SSL;
$IO::Socket::SSL::DEBUG=10;
printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", $^V,
$IO::Socket::SSL::VERSION, $Net::SSLeay::VERSION,
Net::SSLeay::OPENSSL_VERSION_NUMBER();
my $client =
IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") || warn "I
encountered a problem:".IO::Socket::SSL::errstr();
print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>;
NOTES:
I use code example from your documentation, without
Net::SSLeay::VERIFY_NONE(). I am not sure how to use
Net::SSLeay::VERIFY_NONE(), because
obvious things
IO::Socket::SSL->new("google.com:https",
SSL_verify_mode=>Net::SSLeay::VERIFY_NONE())
my $client = IO::Socket::SSL->new("google.com:https",
{SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()})
crash on both servers.
On Mon Jan 28 14:27:55 2013, SULLR wrote:
Show quoted text
> On Mon Jan 28 05:12:10 2013, vsespb wrote:
> > That was actually my real code. It fails on one of my servers and
> works
> > fine on another.
>
> could you please provide me with some more details about the
> environment, where it fails, and also about the system, where it
> succeeds, e.g:
>
> use strict;
> use IO::Socket::SSL;
> printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n",
> $^V,
> $IO::Socket::SSL::VERSION,
> $Net::SSLeay::VERSION,
> Net::SSLeay::OPENSSL_VERSION_NUMBER();
>
>
> And could you please set $IO::Socket::SSL::DEBUG=10 in your code and
> send me the output, so that one can better see, where it fails.
>
>
On Mon Jan 28 05:52:31 2013, vsespb wrote:
Show quoted text
> ONE SERVER:
> perl=v5.10.1 IO:Socket::SSL=1.81 Net::SSLeay=1.52 openssl=9080bf
> ...SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message
Show quoted text
> ANOTHER SERVER:
> perl=v5.14.2 IO:Socket::SSL=1.81 Net::SSLeay=1.42 openssl=1000005f
> ssl handshake done
I doubt that the perl version is relevant here, so this leaves the Net::SSLeay
version or the OpenSSL version. Since I use 1.52 to successfully connect
to the host I would suggest, that the old openssl version causes the problem.
This would not affect firefox (since it does not use openssl) and might not
affect curl too (which can use either GnuTLS or OpenSSL).
I can reproduce the problem on a system with an older openssl library and
a recent version of IO::Socket::SSL. A look at the exchange messages with
wireshark gives the following picture:
- the server accepts TLSv1.0 records with TLSv1.1 handshakes inside
This is used with recent openssl versions, which support TLSv1.1
- the server accepts SSLv2 records with TLSv1.0 handshakes inside
This is used when SSL_version is set to 'sslv23' in IO::Socket::SSL.
This was the default in older IO::Socket::SSL versions, but for security
reasons SSLv2 is now disabled by default, e.g. sslv23:!sslv2
- sslv23:!sslv2 causes on older openssl versions TLSv1.0 records with TLSv1.0
handshakes inside. For some strange reason (maybe misconfiguration) the
server does not understand these SSL messages, other servers have no problems.
Because you can probably not change the server configuration the following
workarounds are possible:
- use a newer openssl version which supports TLSv1.1 (openssl>=1.0)
- allow SSLv2 by setting SSL_version => 'sslv23'. Note that SSLv2 is disabled
for security reasons, so enabling it increases your risk.
Show quoted text
>
> I use code example from your documentation, without
> Net::SSLeay::VERIFY_NONE(). I am not sure how to use
> Net::SSLeay::VERIFY_NONE(), because
> obvious things
> IO::Socket::SSL->new("google.com:https",
> SSL_verify_mode=>Net::SSLeay::VERIFY_NONE())
> my $client = IO::Socket::SSL->new("google.com:https",
> {SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()})
>
> crash on both servers.
The syntax is not class->new(host,%args)
but class->new(host) OR class->new(%args)
if you want to give other arguments you have to specificy the target with
PeerAddr or PeerAddr+PeerPort.
This is the same with all the other IO::Socket::* stuff.
This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.
Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.
Time to display: 0.338119 - RT Version 5.0.1
Copyright 1996-2021 »|« Best Practical Solutions, LLC.