Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 85290
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: ujvari [...] microsec.hu
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Add support for SHA-2 signed certificates
Date: Tue, 14 May 2013 16:18:58 +0200
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Újvári Áron <ujvari [...] microsec.hu>
Download (untitled) / with headers
text/plain 1.7k
Dear IO-Socket-SSL Maintainer! MD5 signed certificates were obsoleted some times ago and these days SHA-1 signed certificates became considered weak. It's time to move to SHA-2 signed certificates. There are countries, like Hungary, where registered certificate authorities must obey the rules national government authorities (NMHH in Hungary) who presumably will disallow the issue of SHA-1 signed certificates in the near future. As of IO-Socket-SSL version 1.88 it seem that it does not support SHA-2 signed certificates. Using it with LWP we get the next error message during the verification of an SHA-2 signed website certificate: LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm at /usr/lib/perl5/site_perl/5.10.0/LWP/Protocol/http.pm line 51. There is a bug for cURL about the very same problem, and probably the same resolution will apply for IO-Socket-SSL also: http://sourceforge.net/p/curl/bugs/848/ You should call Net::SSLeay::OpenSSL_add_all_digests() in the Net::SSLeay initialization block in the BEGIN section of IO::Socket:SSL: # Do Net::SSLeay initialization Net::SSLeay::load_error_strings(); Net::SSLeay::SSLeay_add_ssl_algorithms(); Net::SSLeay::OpenSSL_add_all_digests(); # <--- NEW line Net::SSLeay::randomize(); As a workaround calling Net::SSLeay::OpenSSL_add_all_digests() by hand after the "use IO::Socket::SSL" seems to work well. Best regards, Aron Ujvari IT Systems Engineer Microsec Ltd. -- Újvári Áron | Email | aron.ujvari@microsec.hu IT rendszermérnök | Tel | +36 1 802-4425 | Fax | +36 1 505-4445 Microsec zrt. | Web | www.microsec.hu
Download (untitled) / with headers
text/plain 363b
Am Di 14. Mai 2013, 10:19:37, ujvari@microsec.hu schrieb: Show quoted text
> Dear IO-Socket-SSL Maintainer! > > MD5 signed certificates were obsoleted some times ago and these days > SHA-1 signed certificates became considered weak. It's time to move to > SHA-2 signed certificates.
Hi, thanks for your bugreport. The issue should be fixed with version 1.90. Regards, Steffen


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.