noxxi / p5-io-socket-ssl Goto Github PK
View Code? Open in Web Editor NEWIO::Socket::SSL Perl Module
p5-io-socket-ssl's People
Contributors
Stargazers
Watchers
Forkers
mytram dsteinbrunner salva crisman yak1ex lkundrak mbeijen tokuhirom brianmed toddr frioux jelu steve-m-hay upasana-me nanis keedi kushal154 bluhm chorny nicolas2k bbtotti rcbarn32 dinhchitrung andygrundman bdraco atoomic fgasper odenbach hubandr perlover virajkulkarni14 jmaslak fskale ppisar kiwiroy manwar notroj steely44 jonasbn intrigeri some-perl-nerd clayne sanjaymsh twata1 michal-josef-spacek skaji isgasho uhle jddurand genuaboro tmalkowski stigtsp akhuettel sysfce2 yaribz yoshikazusawap5-io-socket-ssl's Issues
new_from_fd() erases {io_socket_timeout}
Don't really know is it a bug. Feel free to reject.
Test example below:
use strict;
use IO::Socket;
use IO::Socket::SSL;
my $sock = IO::Socket::INET->new(PeerAddr => 'mail.ru', PeerPort => 443, Timeout => 5)
or die $@;
warn ${*$sock}{io_socket_timeout}; # 5
my $ssl = IO::Socket::SSL->new_from_fd($sock, Timeout => 5)
or die $@;
warn ${*$ssl}{io_socket_timeout}; # undefI found this problem while used LWP::Protocol::connect.
Here we got plain socket where {io_socket_timeout} has some value from LWP constructor:
https://metacpan.org/source/BENNING/LWP-Protocol-connect-6.08/lib/LWP/Protocol/https/connect/Socket.pm#L16
And after this action {io_socket_timeout} for socket is undefined:
https://metacpan.org/source/BENNING/LWP-Protocol-connect-6.08/lib/LWP/Protocol/https/connect/Socket.pm#L18
And here how LWP uses this value:
https://metacpan.org/source/Net::HTTP::Methods#L290
So we may get select() with undefined timeout (and block forever):
https://metacpan.org/source/Net::HTTP::Methods#L298
Maybe this needs to be documented (if this behaviour is correct).
Last release is buggered in a scary way, needs an immediate fix
You should have email to [email protected] from [email protected] explaining it. Please read and respond.
The email should make it more clear why I'm choosing to do it this way.
perl-IO-Socket-SSL-1.94 test fail and certs out of date
1.the file of pem in certs are out of date in IO-Socket-SSL-1.94.tar.gz
2.make test failure as showed below
-bash-4.2$ cd IO-Socket-SSL-1.94/
-bash-4.2$ ls
BUGS MANIFEST META.yml Makefile.PL README.Win32 certs debuglinks.list docs example pm_to_blib util
Changes META.json Makefile README blib debugfiles.list debugsources.list elfbins.list lib t
-bash-4.2$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01loadmodule.t ........... ok
t/02settings.t ............. ok
t/acceptSSL-timeout.t ...... Dubious, test returned 1 (wstat 256, 0x100)
Failed 10/15 subtests
t/auto_verify_hostname.t ... Failed 16/30 subtests
t/cert_no_file.t ........... ok
t/compatibility.t .......... 1/9 Can't locate object method "issuer_name" via package "IO::Socket::INET" at t/compatibility.t line 53.
t/compatibility.t .......... Failed 6/9 subtests
t/connectSSL-timeout.t ..... Dubious, test returned 1 (wstat 256, 0x100)
Failed 10/16 subtests
t/core.t ................... Failed 47/52 subtests
t/dhe.t .................... ok
t/ecdhe.t .................. ok
t/io-socket-inet6.t ........ skipped: no IO::Socket::INET6 available
t/io-socket-ip.t ........... ok
t/memleak_bad_handshake.t .. skipped: no usable ps
t/mitm.t ................... Failed 6/8 subtests
t/nonblock.t ............... 1/27 sysread failed: No such file or directory at t/nonblock.t line 317.
Use of uninitialized value in subroutine entry at /home/abuild/rpmbuild/BUILD/IO-Socket-SSL-1.94/blib/lib/IO/Socket/SSL.pm line 629.
Use of uninitialized value in subroutine entry at /home/abuild/rpmbuild/BUILD/IO-Socket-SSL-1.94/blib/lib/IO/Socket/SSL.pm line 629.
t/nonblock.t ............... Dubious, test returned 2 (wstat 512, 0x200)
Failed 21/27 subtests
t/npn.t .................... ok
t/readline.t ............... ok
t/sessions.t ............... Failed 27/35 subtests
t/signal-readline.t ........ Failed 1/9 subtests
t/sni.t .................... 1/17 Can't call method "get_servername" on an undefined value at t/sni.t line 83.
Can't call method "verify_hostname" without a package or object reference at t/sni.t line 74.
t/sni.t .................... Dubious, test returned 2 (wstat 512, 0x200)
Failed 16/17 subtests
t/start-stopssl.t .......... ok
t/startssl-failed.t ........ ok
t/startssl.t ............... ok
t/sysread_write.t .......... ok
t/verify_hostname.t ........ ok
Test Summary Report
t/acceptSSL-timeout.t (Wstat: 256 Tests: 7 Failed: 2)
Failed tests: 6-7
Non-zero exit status: 1
Parse errors: Bad plan. You planned 15 tests but ran 7.
t/auto_verify_hostname.t (Wstat: 0 Tests: 22 Failed: 8)
Failed tests: 3, 5-6, 8, 12, 16, 18, 22
Parse errors: Bad plan. You planned 30 tests but ran 22.
t/compatibility.t (Wstat: 0 Tests: 6 Failed: 3)
Failed tests: 2, 5-6
Parse errors: Bad plan. You planned 9 tests but ran 6.
t/connectSSL-timeout.t (Wstat: 256 Tests: 8 Failed: 2)
Failed tests: 7-8
Non-zero exit status: 1
Parse errors: Bad plan. You planned 16 tests but ran 8.
t/core.t (Wstat: 0 Tests: 7 Failed: 2)
Failed tests: 6-7
Parse errors: Bad plan. You planned 52 tests but ran 7.
t/mitm.t (Wstat: 0 Tests: 3 Failed: 1)
Failed test: 3
Parse errors: Bad plan. You planned 8 tests but ran 3.
t/nonblock.t (Wstat: 512 Tests: 17 Failed: 11)
Failed tests: 6-12, 14-17
Non-zero exit status: 2
Parse errors: Bad plan. You planned 27 tests but ran 17.
t/sessions.t (Wstat: 0 Tests: 10 Failed: 2)
Failed tests: 9-10
Parse errors: Bad plan. You planned 35 tests but ran 10.
t/signal-readline.t (Wstat: 0 Tests: 9 Failed: 1)
Failed test: 4
t/sni.t (Wstat: 512 Tests: 3 Failed: 2)
Failed tests: 2-3
Non-zero exit status: 2
Parse errors: Bad plan. You planned 17 tests but ran 3.
Files=25, Tests=226, 0 wallclock secs ( 0.10 usr 0.04 sys + 1.28 cusr 0.33 csys = 1.75 CPU)
Result: FAIL
Failed 10/25 test programs. 34/226 subtests failed.
make: *** [test_dynamic] Error 2
how can i fix this problem with out update the software? Can i skip these ten test?
Weird diagnostics for short RSA keys
Openssl 1.1.1 does not treat 1024-bit RSA certificates as safe for clients authentification in SSL by default (@SECLEVEL=2) with diagnostics like
140510343623808:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:
As IO::Socket::SSL tries to load a certificate as PEM, than DER, than PKCS12, when the original certificate is in PEM format, the diagnostics is smth about bad ASN.1 format instead of valid one.
package IO::Socket::SSL;
our $VERSION = '2.060';
Reliable read, better handling of SSL *_WANT_* situations
I noticed, that getline() often returns undefined, although data is available.
The reason is, that readline() andles EINTR and EWOULDBLOCK, but must also handle ERROR_WANT_READ and ERROR_WANT_WRITE. A good example as a starting point is Net::SSLeay::ssl_read_all():
sub ssl_read_all {
my ($ssl,$how_much) = @_;
$how_much = 2000000000 unless $how_much;
my ($got, $rv, $errs);
my $reply = '';
while ($how_much > 0) {
($got, $rv) = Net::SSLeay::read($ssl,
($how_much > 32768) ? 32768 : $how_much
);
if (! defined $got) {
my $err = Net::SSLeay::get_error($ssl, $rv);
if ($err != Net::SSLeay::ERROR_WANT_READ() and
$err != Net::SSLeay::ERROR_WANT_WRITE()) {
$errs = print_errs('SSL_read');
last;
}
next;
}
$how_much -= blength($got);
debug_read(\$reply, \$got) if $trace>1;
last if $got eq ''; # EOF
$reply .= $got;
}
return wantarray ? ($reply, $errs) : $reply;
}
Maybe Net::SSLeay::ssl_read_until() can be used which internally calls ssl_read_all. And for getline() something like Net::SSLeay::ssl_read_CRLF()?
I only looked at Net::SSLeay current dev version, not sure what of that is available in latest stable.
SSL_verify_callback sometimes gets the same cert multiple times.
Not sure what causes it...
Versions of stuff:
- IO::Socket::SSL 2.012
- Net::SSLeay 1.68
- Perl 5.20.1
- OpenSSL 1.0.2a
All latest as of right now as far as I can tell except for perl being 1 minor behind.
Consider the following:
#!/usr/bin/env perl
use strict;
use warnings;
use File::Basename;
use IO::Socket::SSL;
die "Usage: ".basename($0)." host:port\n" unless @ARGV eq 1;
IO::Socket::SSL->new(
PeerHost => $ARGV[0],
SSL_verify_callback => sub {
my $cert = $_[4];
my $subject = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert));
my $issuer = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert));
print "# $subject (issuer=$issuer)\n";
print Net::SSLeay::PEM_get_string_X509($cert);
return 1;
}
) or die $SSL_ERROR||$!;
$ dump_cert_chain.pl bugs.otr.im:443
# /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.otr.im (issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2)
-----BEGIN CERTIFICATE-----
MIIF6zCCBNOgAwIBAgIRAOHZg+yKPfZmVepOJPSBHowwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTE1MDMwOTAwMDAwMFoXDTE2MDMyMzIzNTk1OVowXDEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQLExtHYW5kaSBTdGFuZGFyZCBX
aWxkY2FyZCBTU0wxETAPBgNVBAMUCCoub3RyLmltMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAxfZUm9e16vo+pVLyc0QIqKzpSuV/pYSWlEHlYHMMBGaq
j4jy584zenIigynw9pqfaLDnqxtWVoXXJpykWucOlM82kZL8nU/jgsbqxW9WqSkg
K3ZSlJlNn95g3vGjwHsZer6X32uIvaoyAafLgKQLQ7SP/AWIyHtN02B1AcjYcJAu
anX+QRSH/3qhKt8w2ahpzQi9Wbu3Y7WycHEAGCg9jAP6OeUL2eICZoV2b+JQv2ZH
GlrHpfZBl/eTCekB/geMBGxdfR4Kr5KMRjS5yiIxLguLR/RhlVaLMmvLQ8fPUF76
3+GVZLO1No3KA2m2AMDaQxOgFDboUTvgDzPKfZnsvU3yV91a1gnwHGR1c8YTgy9u
Iow7gJhuHzgPlYvES8vFEiu8vq+NJb5ZjpFkvQlIWEmUfQ4ghWd6s5TbMTC9Zn9R
U2XnfY5BFYj600CF42FTgFb8rANGFv8CRhBJ3TFWwrMXtZ2jGWhAWyvlKXjHj08k
SbyRUc33FJNJdPo1SNKLJWDoe0gxI7pdNpN/2gW8+DkcHiMA4Nebp5Px4ud2tEQ4
J3bimiRJGPKZbHOYPlZNTt5uRUyFcqcaZrb+9agC4/zCkoZ9Bc55hd7NZ5hLVIqd
oGcVOW4joXdfZrw1lJywB39HihzNgLmD2orZw7QNBfqFdd7RtUW6ojkQOJJ777UC
AwEAAaOCAaMwggGfMB8GA1UdIwQYMBaAFLOQp9jJr07NYTyffK1df0H9aTDqMB0G
A1UdDgQWBBSZNGT6DNmuu4sTNJoNe4I8S6xCQjAOBgNVHQ8BAf8EBAMCBaAwDAYD
VR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSwYDVR0g
BEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nwcy51
c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8v
Y3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcmwwcwYIKwYB
BQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20v
R2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw
LnVzZXJ0cnVzdC5jb20wGwYDVR0RBBQwEoIIKi5vdHIuaW2CBm90ci5pbTANBgkq
hkiG9w0BAQsFAAOCAQEALMn5fjOcn8lHRIxZlQ5ZGgChQswOIBRhpaCtyiXzP5Yu
bEbCGjYt9pUKrQQ+qb+MSZKgYMyfZaaEJMCtgPk5V47zK8jFcqaSmL7uuWOT3RRH
e1aoRdpyCTW2SEq04RsxhajVhp2xnNspf6eKhMRzZAqsgYsTPQBs+kvbl7yLv8uT
B+oCdI3MJ92De6TqrI/Z00blNwd7I13TgvasUyGSPfbkGxu5THSNvCV1Dbu+9Oql
Hf97UBELSTQpcApYJzIQ9lksShH2kalN41l9dqVgiXD6OfWfW7EUTpGYd4BGa1yg
2lIHlKN15Echdzhu2o2BFhbJH978+wgZHBH6chhxJw==
-----END CERTIFICATE-----
# /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.otr.im (issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2)
-----BEGIN CERTIFICATE-----
MIIF6zCCBNOgAwIBAgIRAOHZg+yKPfZmVepOJPSBHowwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTE1MDMwOTAwMDAwMFoXDTE2MDMyMzIzNTk1OVowXDEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQLExtHYW5kaSBTdGFuZGFyZCBX
aWxkY2FyZCBTU0wxETAPBgNVBAMUCCoub3RyLmltMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAxfZUm9e16vo+pVLyc0QIqKzpSuV/pYSWlEHlYHMMBGaq
j4jy584zenIigynw9pqfaLDnqxtWVoXXJpykWucOlM82kZL8nU/jgsbqxW9WqSkg
K3ZSlJlNn95g3vGjwHsZer6X32uIvaoyAafLgKQLQ7SP/AWIyHtN02B1AcjYcJAu
anX+QRSH/3qhKt8w2ahpzQi9Wbu3Y7WycHEAGCg9jAP6OeUL2eICZoV2b+JQv2ZH
GlrHpfZBl/eTCekB/geMBGxdfR4Kr5KMRjS5yiIxLguLR/RhlVaLMmvLQ8fPUF76
3+GVZLO1No3KA2m2AMDaQxOgFDboUTvgDzPKfZnsvU3yV91a1gnwHGR1c8YTgy9u
Iow7gJhuHzgPlYvES8vFEiu8vq+NJb5ZjpFkvQlIWEmUfQ4ghWd6s5TbMTC9Zn9R
U2XnfY5BFYj600CF42FTgFb8rANGFv8CRhBJ3TFWwrMXtZ2jGWhAWyvlKXjHj08k
SbyRUc33FJNJdPo1SNKLJWDoe0gxI7pdNpN/2gW8+DkcHiMA4Nebp5Px4ud2tEQ4
J3bimiRJGPKZbHOYPlZNTt5uRUyFcqcaZrb+9agC4/zCkoZ9Bc55hd7NZ5hLVIqd
oGcVOW4joXdfZrw1lJywB39HihzNgLmD2orZw7QNBfqFdd7RtUW6ojkQOJJ777UC
AwEAAaOCAaMwggGfMB8GA1UdIwQYMBaAFLOQp9jJr07NYTyffK1df0H9aTDqMB0G
A1UdDgQWBBSZNGT6DNmuu4sTNJoNe4I8S6xCQjAOBgNVHQ8BAf8EBAMCBaAwDAYD
VR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSwYDVR0g
BEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nwcy51
c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8v
Y3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcmwwcwYIKwYB
BQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20v
R2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw
LnVzZXJ0cnVzdC5jb20wGwYDVR0RBBQwEoIIKi5vdHIuaW2CBm90ci5pbTANBgkq
hkiG9w0BAQsFAAOCAQEALMn5fjOcn8lHRIxZlQ5ZGgChQswOIBRhpaCtyiXzP5Yu
bEbCGjYt9pUKrQQ+qb+MSZKgYMyfZaaEJMCtgPk5V47zK8jFcqaSmL7uuWOT3RRH
e1aoRdpyCTW2SEq04RsxhajVhp2xnNspf6eKhMRzZAqsgYsTPQBs+kvbl7yLv8uT
B+oCdI3MJ92De6TqrI/Z00blNwd7I13TgvasUyGSPfbkGxu5THSNvCV1Dbu+9Oql
Hf97UBELSTQpcApYJzIQ9lksShH2kalN41l9dqVgiXD6OfWfW7EUTpGYd4BGa1yg
2lIHlKN15Echdzhu2o2BFhbJH978+wgZHBH6chhxJw==
-----END CERTIFICATE-----
$
Note that it's the same cert twice. (Sometimes I get it 3 times.)
And for reference:
$ openssl s_client -showcerts -connect bugs.otr.im:443 < /dev/null
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.otr.im
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *.otr.im
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.otr.im
i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
-----BEGIN CERTIFICATE-----
MIIF6zCCBNOgAwIBAgIRAOHZg+yKPfZmVepOJPSBHowwDQYJKoZIhvcNAQELBQAw
XzELMAkGA1UEBhMCRlIxDjAMBgNVBAgTBVBhcmlzMQ4wDAYDVQQHEwVQYXJpczEO
MAwGA1UEChMFR2FuZGkxIDAeBgNVBAMTF0dhbmRpIFN0YW5kYXJkIFNTTCBDQSAy
MB4XDTE1MDMwOTAwMDAwMFoXDTE2MDMyMzIzNTk1OVowXDEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMSQwIgYDVQQLExtHYW5kaSBTdGFuZGFyZCBX
aWxkY2FyZCBTU0wxETAPBgNVBAMUCCoub3RyLmltMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEAxfZUm9e16vo+pVLyc0QIqKzpSuV/pYSWlEHlYHMMBGaq
j4jy584zenIigynw9pqfaLDnqxtWVoXXJpykWucOlM82kZL8nU/jgsbqxW9WqSkg
K3ZSlJlNn95g3vGjwHsZer6X32uIvaoyAafLgKQLQ7SP/AWIyHtN02B1AcjYcJAu
anX+QRSH/3qhKt8w2ahpzQi9Wbu3Y7WycHEAGCg9jAP6OeUL2eICZoV2b+JQv2ZH
GlrHpfZBl/eTCekB/geMBGxdfR4Kr5KMRjS5yiIxLguLR/RhlVaLMmvLQ8fPUF76
3+GVZLO1No3KA2m2AMDaQxOgFDboUTvgDzPKfZnsvU3yV91a1gnwHGR1c8YTgy9u
Iow7gJhuHzgPlYvES8vFEiu8vq+NJb5ZjpFkvQlIWEmUfQ4ghWd6s5TbMTC9Zn9R
U2XnfY5BFYj600CF42FTgFb8rANGFv8CRhBJ3TFWwrMXtZ2jGWhAWyvlKXjHj08k
SbyRUc33FJNJdPo1SNKLJWDoe0gxI7pdNpN/2gW8+DkcHiMA4Nebp5Px4ud2tEQ4
J3bimiRJGPKZbHOYPlZNTt5uRUyFcqcaZrb+9agC4/zCkoZ9Bc55hd7NZ5hLVIqd
oGcVOW4joXdfZrw1lJywB39HihzNgLmD2orZw7QNBfqFdd7RtUW6ojkQOJJ777UC
AwEAAaOCAaMwggGfMB8GA1UdIwQYMBaAFLOQp9jJr07NYTyffK1df0H9aTDqMB0G
A1UdDgQWBBSZNGT6DNmuu4sTNJoNe4I8S6xCQjAOBgNVHQ8BAf8EBAMCBaAwDAYD
VR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSwYDVR0g
BEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsGAQUFBwIBFhlodHRwczovL2Nwcy51
c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8v
Y3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcmwwcwYIKwYB
BQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20v
R2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3Nw
LnVzZXJ0cnVzdC5jb20wGwYDVR0RBBQwEoIIKi5vdHIuaW2CBm90ci5pbTANBgkq
hkiG9w0BAQsFAAOCAQEALMn5fjOcn8lHRIxZlQ5ZGgChQswOIBRhpaCtyiXzP5Yu
bEbCGjYt9pUKrQQ+qb+MSZKgYMyfZaaEJMCtgPk5V47zK8jFcqaSmL7uuWOT3RRH
e1aoRdpyCTW2SEq04RsxhajVhp2xnNspf6eKhMRzZAqsgYsTPQBs+kvbl7yLv8uT
B+oCdI3MJ92De6TqrI/Z00blNwd7I13TgvasUyGSPfbkGxu5THSNvCV1Dbu+9Oql
Hf97UBELSTQpcApYJzIQ9lksShH2kalN41l9dqVgiXD6OfWfW7EUTpGYd4BGa1yg
2lIHlKN15Echdzhu2o2BFhbJH978+wgZHBH6chhxJw==
-----END CERTIFICATE-----
1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
-----BEGIN CERTIFICATE-----
MIIEozCCA4ugAwIBAgIQWrYdrB5NogYUx1U9Pamy3DANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDgxMDIzMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBBMQswCQYD
VQQGEwJGUjESMBAGA1UEChMJR0FOREkgU0FTMR4wHAYDVQQDExVHYW5kaSBTdGFu
ZGFyZCBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC2VD2l
2w0ieFBqWiOJP5eh1AcaqVgIm6AVwzK2t/HouaVvrTf2bnEbtHUtSF6fxhWqge/l
xIiVijpsd8y1zWXkZ+VzyVBSlMEnST6ga0EWQbaUmUGuPsviBkYJ6U2+yUxVqRh+
pt9u/UqyzGxO2chQFZOz8unjwmqtOtX7w3lQnyV5KbJHZHwgPuIITZMpFLY0bs9x
Rn52EPT9bKoB0sIG3pKDzFiQLpLeHmW3Yy89sutwjEzgvhWd3sFNVvgLxo4HuV3f
lfB7QB8aLNecK0t29Fn1Q8EsZhCenmaWYJ0cdBtOGFwIsG5symkaAum7ynjvZi7j
Mv1BXJV0gU302v5LAgMBAAGjggE+MIIBOjAfBgNVHSMEGDAWgBShcl8mGyiYQ5Vd
BzfVhZadS9LDRTAdBgNVHQ4EFgQUtqj/oqgv0KbNS7Fo8+dQEDGneSEwDgYDVR0P
AQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwGAYDVR0gBBEwDzANBgsrBgEE
AbIxAQICGjBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8vY3JsLnVzZXJ0cnVzdC5j
b20vVVROLVVTRVJGaXJzdC1IYXJkd2FyZS5jcmwwdAYIKwYBBQUHAQEEaDBmMD0G
CCsGAQUFBzAChjFodHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVROQWRkVHJ1c3RT
ZXJ2ZXJfQ0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1c3Qu
Y29tMA0GCSqGSIb3DQEBBQUAA4IBAQAZU78DPZvia1r9ukkfT+zhxoI5PNIDBA+r
ez6CqYUQH/TeMq9YP/9w8zAdly1MmuLsDD4ULS+YSJ2uFmqsLUKqtWSkcLvrc5R7
RkznehR2W0wdhKEgdB8uS1xwiNy99xk97VkN4j8m4pyspDyVHPi+jAOu8OWcTbzH
m1gAv6+t+jducW0YNA7B6mr4Dd9pVFYV8iiz/qRj7MUEZGC7/irw9IehsK69quQv
4wMLL2ZfhaQye0btJQzn8bfnGf1gul+Hd96YB5bkXupjfajeVdphXDyQg0MEBzzd
8/ifBlIK3se2e4/hEfcEejX/arxbx1BJCHBvlEPNnsdw8dvQbdqP
-----END CERTIFICATE-----
2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Hardware
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
-----BEGIN CERTIFICATE-----
MIIEhjCCA26gAwIBAgIQUkIGSk83/kNpSHqWZ/9dJzANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0
qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt
KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr
ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX
vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM
vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN
SZzFkvSrMqFIWwIDAQABo4H0MIHxMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0f
BHQwcjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5jb20vQWRkVHJ1c3RFeHRl
cm5hbENBUm9vdC5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwuY29tb2RvLm5ldC9BZGRU
cnVzdEV4dGVybmFsQ0FSb290LmNybDANBgkqhkiG9w0BAQUFAAOCAQEAYGQ5WaJD
ZS79+R/WrjO76FMTxIjuIxpszthkWVNTkOg239T88055L9XmjwzvKkFtcb2beDgj
03BLhgz9EqciYhLYzOBR7y3lzQxFoura7X7s9zKa5wU1Xm7CLGhonf+M8cpVh8Qv
sUAG3IQiXG2zzdGbGgozKGYWDL0zwvYH8eOheZTg+NDQ099Shj+p4ckdPoaEsdtf
7uRJQ8E5fc8vlqd1XX5nZ4TlWSBAvzcivwdDtDDhQ4rNA11tuSnZhKf1YmOEhtY3
vm9nu/9iVzmdDE2yKmE9HZzvmncgoC/uGnKdsJ2/eBMnBwpgEZP1Dy7J72skg/6b
kLRLaIHQwvrgPw==
-----END CERTIFICATE-----
---
Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*.otr.im
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4825 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: E67A63468B999C6CA41186D080ABA061A460160C222576E7FAE5B56679C53BB3
Session-ID-ctx:
Master-Key: 22DAF517196E6A24224A690554D569D60F1168DB27C62C23436C089DE9807F007A394E711B8476BF44167DC35633232F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - dd ed 8f 5f 20 86 ba fe-f0 ab 3f 30 45 d5 63 59 ..._ .....?0E.cY
0010 - b7 9a 45 b2 99 3b 8a 3a-d6 3c 16 48 9b a5 84 44 ..E..;.:.<.H...D
0020 - c4 26 a8 e9 39 83 bc 54-08 55 fe 38 35 43 ab 42 .&..9..T.U.85C.B
0030 - 48 42 f1 62 77 5f b6 5d-fe d3 2b 84 5e de ca ed HB.bw_.]..+.^...
0040 - c9 4e 0a 49 ed 1b 6c 72-d8 21 1e 86 7a 30 45 d3 .N.I..lr.!..z0E.
0050 - c7 b9 2a 8f 4e 03 cb 42-0a c5 f4 d2 15 c4 a3 b0 ..*.N..B........
0060 - 04 1c ed ac 20 7d 9f 4d-27 48 b3 6d 60 90 c5 1a .... }.M'H.m`...
0070 - 09 5c 21 02 20 c8 4d 87-c9 85 de 5c 90 32 bc 20 .\!. .M....\.2.
0080 - b3 65 7d 3c ec dc 5b 9b-1a 17 c7 cb 4d 41 b3 d3 .e}<..[.....MA..
0090 - 79 c6 10 6d 4f 0e 57 cc-f3 29 0d b4 bd 0d b2 d8 y..mO.W..)......
00a0 - 59 2c 6e ca dc f1 70 ec-10 f9 dd 16 55 2a ae 35 Y,n...p.....U*.5
00b0 - 3a c8 25 4b 31 de 4d cc-c7 0c 47 33 a2 bc 66 b1 :.%K1.M...G3..f.
Start Time: 1427146263
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
DONE
$
IO::Socket::SSL::Utils splits subject/issue into a hash, losing the ordering of the parts
Feature request. Though I'm tempted to also characterise this as a design fault. ๐
I notice CERT_asHash() returns subject and issuer split into a hash. I think it would be more useful to report the whole DN. Or if you must split it, then instead split it into an array.
This will be especially problematic for DNs that contain more than one of the same type of RDN (eg. multiple OU's or DC's), as it then becomes impossible to determine which order in which to reassemble the bits back together.
I was hoping to replace my usage of Net::SSLeay::X509_NAME_oneline() with IO::Socket::SSL::Utils functions, but today is not that day. :P
implicit derivation of hostname for SNI should be less astonishing
The addition of SNI support here:
4f83a3c#diff-1
created one explicit way for the caller to supply the host name for which the certificate is wanted (supply it with the key SSL_hostname).
It also added a default behavior if SSL_hostname isn't specified, but that default behavior is almost surely not what the caller expects! If the caller passes both a PeerAddr and a PeerHost, the code looks at the PeerAddr first ... and then discards it if it looks like an address instead of a hostname ... and ignores the PeerHost!
It is probably better to look at PeerHost for a hostname first ... and maybe it is even best to look at both, and accept either one if it has the form of a hostname and not an address.
Default cipher list doesn't include ECDHE-RSA-AES128-GCM-SHA256
Not an expert on SSL, but I ran into a situation where I couldn't connect to a server using LWP that only had the TLS 1.2 protocol enabled:
https://www.ssllabs.com/ssltest/analyze.html?d=www.tiremoni.com
In debugging this, I found that it was failing to connect because IO::Socket::SSL's default cipher list didn't include ECDHE-RSA-AES128-GCM-SHA256 (which all major browsers seem to include).
The comment for $DEFAULT_SSL_CLIENT_ARGS{SSL_cipher_list} says that the list is from IE11, but it's perhaps out of date, since IE11 seems to support more ciphers than in that list.
For reference, here's the list I get from IE11 (might be a bit out of date since it's from a VM):
- ECDHE-RSA-AES256-SHA384
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA
- ECDHE-RSA-AES128-SHA
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES128-GCM-SHA256
- RSA-AES256-GCM-SHA384
- RSA-AES128-GCM-SHA256
- DH-RSA-MISTY1-SHA
- DH-DSS-MISTY1-SHA
- RSA-AES256-SHA
- RSA-AES128-SHA
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA
- ECDHE-ECDSA-AES128-SHA
- DHE-DSS-AES256-SHA256
- DH-ANON-MISTY1-SHA
- DHE-DSS-AES256-SHA
- DHE-DSS-AES128-SHA
- RSA-3DES-EDE-SHA
- DHE-DSS-3DES-EDE-SHA
- RSA-RC4128-SHA
- RSA-RC4128-MD5
IO::Socket::SSL + fork
Hello, I've asked a question on perlmonks.org today ( http://perlmonks.org/?node_id=1107935 ), and it seems this issue needs an implementation.
IO::Socket::SSL is a very versatile module, but the lack of fork support is a really sad fact.
Since IO::Socket::SSL is a descendent of IO::Socket::INET, I think it should support fork as the second one does.
Would it be possible to implement a such 'fix' for not using third-party event-driven frameworks?
Enablement of SNI is erroneously sensitive to the the case of the inferred hostname
This was discovered after assisting a person in #perl at Freenode, who was using the following URL for testing:
HTTPS://WWW.SPS-SERVICE.EU/6AV2124-0GC01-0AX0
Attempts to connect to this URL were resulting in a Can't connect to WWW.SPS-SERVICE.EU:443 (certificate verify failed) error. It was then discovered that the lower case form of this URL worked and, after further testing, that specifying anything other than www. as the first component of the hostname was enough to trigger the error. All of which should not happen, of course.
Eventually, I realised that the host in question requires SNI to be active, otherwise it reports an entirely different CN, against which verification is, indeed, impossible. For instance:
# openssl s_client -connect www.sps-service.eu:443 -servername WWW.SPS-SERVICE.EU </dev/null 2>&1 | grep '^subject'
subject=/OU=Domain Control Validated/CN=*.sps-service.eu
# openssl s_client -connect www.sps-service.eu:443 </dev/null 2>&1 | grep '^subject'
subject=/C=DE/ST=Bayern/L=Muenchen/O=ispgateway/CN=webserver.ispgateway.de/[email protected]
Sure enough, after setting the $DEBUG level to 2, I was able to confirm that IO::Socket::SSL was not attempting to use SNI in the failing case (the first name component being anything other than lower-case www):
DEBUG: .../IO/Socket/SSL.pm:720: not using SNI because hostname is unknown
This is where the issue lies:
# grep -n 'host = undef' /usr/lib64/perl5/vendor_perl/5.24.3/IO/Socket/SSL.pm
712: $host = undef if $host !~m{[a-z_]} or $host =~m{:};
Specifically, the above regular expression does not tolerate any names that contain upper-case characters, in which case SNI becomes impossible. Adjusting the regular expression to tolerate upper-case alphabetical characters, or adding the /i flag is enough for SNI to be correctly employed for all case-oriented permutations of this particular URL.
t/external/ocsp.t failing in 2.035
$ make test
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
# openssl version=0x1000208f
# Net::SSLeay version=1.77
# parent IO::Socket::IP version=0.38
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
# tcp connect to www.microsoft.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# Failed test 'did not get expected OCSP response with stapling'
# at t/external/ocsp.t line 93.
# tcp connect to www.spiegel.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to revoked.grc.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# Failed test 'expected revoked but connection ok'
# at t/external/ocsp.t line 128.
# Looks like you failed 2 tests of 3.
t/external/ocsp.t .................
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/3 subtests
# found 167 CA certs
# have root CA for www.spiegel.de in store
#5 connections to www.spiegel.de ok
# fingerprint www.spiegel.de matches
# check www.spiegel.de against builtin CA store ok
# have root CA for www.yahoo.com in store
#5 connections to www.yahoo.com ok
# fingerprint www.yahoo.com matches
# check www.yahoo.com against builtin CA store ok
# have root CA for www.comdirect.de in store
#5 connections to www.comdirect.de ok
# fingerprint www.comdirect.de matches
# check www.comdirect.de against builtin CA store ok
# have root CA for meine.deutsche-bank.de in store
#5 connections to meine.deutsche-bank.de ok
# fingerprint meine.deutsche-bank.de matches
# check meine.deutsche-bank.de against builtin CA store ok
# have root CA for www.twitter.com in store
#5 connections to www.twitter.com ok
# have root CA for www.facebook.com in store
#5 connections to www.facebook.com ok
# fingerprint www.facebook.com matches
# check www.facebook.com against builtin CA store ok
# have root CA for www.live.com in store
#5 connections to www.live.com ok
# fingerprint www.live.com matches
# check www.live.com against builtin CA store ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
# -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok
Test Summary Report
-------------------
t/external/ocsp.t (Wstat: 512 Tests: 3 Failed: 2)
Failed tests: 1, 3
Non-zero exit status: 2
Files=37, Tests=794, 48 wallclock secs ( 0.09 usr 0.02 sys + 3.28 cusr 0.33 csys = 3.72 CPU)
Result: FAIL
Failed 1/37 test programs. 2/794 subtests failed.
Makefile:791: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255
That's on Fedora Rawhide and I get the same result on the much-older CentOS 6.
Net-SSLeay-1.68 : request informations / $arg_hash->{SSL_ca}
Hello
I found not anywhere of a detail documentation clear about SSL_key or SSL_ca from variables and without from flat files : eg : my-ca.pem or client-cert.pem.
So, Iโd like just use by variables a key of CA public without file of "$certdir/my-ca.pem" and open a new socket :
Example of perl 5.14.2 (strawberry 32bits):
$ca_key = q{-----BEGIN CERTIFICATE-----
MIIE+DCCA โฆ. blabla โฆ. tZPMIxRNeUKRg==
-----END CERTIFICATE-----};
$x509 = PEM_string2cert($ca_key); #=> it's work !
if(!($socket = IO::Socket::SSL->new(
Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 0,
SSL_ca_path => $certdir,
# SSL_ca_file => "$certdir/my-ca.pem", => it's work fine with all keys
SSL_ca => $x509,
SSL_cert_file => "$certdir/server-cert.pem",
SSL_key_file => "$certdir/server-key.pem",
SSL_use_cert => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_reuse_ctx => 0,
SSL_server => 1,
SSL_version => 'SSLv3',
SSL_cipher_list => 'SHA:AES:3DES:!RC4:!MD5',
SSL_passwd_cb => sub {return "$secret"},
)) )
And I've some erro :
DB<2>
Can't use string ("61536080") as an ARRAY ref while "strict refs" in use at E:/strawberry-5.14.2.1-32bit/perl/site/lib/IO/Socket/SSL.pm line 2273.
at E:/strawberry-5.14.2.1-32bit/perl/site/lib/IO/Socket/SSL.pm line 2273
IO::Socket::SSL::SSL_Context::new('IO::Socket::SSL::SSL_Context', 'HASH(0x242df6c)') called at E:/strawberry-5.14.2.1-32bit/perl/site/lib/IO/Socket/SSL.pm line 512
Is it possible and whichโs a good practice ?
Many thanks for advance.
Best regards
Nicolas
RFC: complain loudly if supplied SSL files do not exist
Hi,
This is a RFC : I'm happy to do more work to add tests or rework the implementation, however I wanted to first check if there was any interest (and that I'm even vaugely on the right path).
I recently tripped up over my own stupidity by passing paths to SSL files (key/cert/ca) that didn't exist. The behaviour I observed was that the server started, accepted connections then immediately closed them. No error was emitted.
In my particular case, I was using Mojolicious' morbo, however talking to sri on irc he suggested that IO::Socket:SSL would be the correct place to fix this.
fwiw:
morbo -v -l "https://172.16.200.100:4430?cert=/home/me/ssl/secure.crt&key=/home/me/ssl/secure.key" script/server
If either of those files does not exist, I see this behaviour:
ยง telnet 172.16.200.100 4430
Trying 172.16.200.100...
Connected to oauth.minty.org.
Escape character is '^]'.
Connection closed by foreign host.
If all relevant files DO exist, I see this:
ยง telnet 172.16.200.100 4430
Trying 172.16.200.100...
Connected to oauth.minty.org.
Escape character is '^]'.
(followed by the server waiting for input)
I'm not hugely familiar with the IO::Socket::SSL code, so the following patch really should be treated more as a hand-wavy attempt to explain my problem and a rough line in the sand for where it might be possible to fix.
https://github.com/minty/p5-io-socket-ssl/commit/b5a7fe8db91e9993fc7929e5c1b8799dd7f3497a
If someone with better knowledge of the code could give me some pointers/direction, I'd be happy to invest some effort in trying to submit a proper pull-request with a more robust patch include, plus some tests.
Thanks!
Memory leak when destroying with incomplete handshake
This was originally found in Mojolicious: mojolicious/mojo#1469
But then I tracked this down to IO::Socket::SSL. If we'll destroy object for which server didn't respond with initial handshake this will produce memory leak. I can reproduce this with such server:
use strict;
use IO::Socket;
use POSIX 'WNOHANG';
$SIG{CHLD} = sub { 1 while waitpid(-1, WNOHANG) > 0; };
my $srv = IO::Socket::INET->new(Listen => 1, LocalPort => 1081) or die $@;
while (1) {
my $c = $srv->accept or next;
my $child = fork;
if ($child == 0) {
$c->sysread(my $buf, 1024);
sleep 3;
exit;
}
}and such client:
use strict;
use IO::Socket::SSL;
use IO::Socket::INET;
use IO::Select;
use Time::HiRes 'time';
use constant TIMEOUT => 1;
warn $$;
my $sel_for_read = IO::Select->new;
my $sel_for_write = IO::Select->new;
my %sockets;
for (1..100) {
make_socket();
}
while (1) {
my ($readable, $writable) = IO::Select->select($sel_for_read, $sel_for_write, undef, 0.5);
$readable ||= [];
$writable ||= [];
my @want_read;
my @want_write;
for my $socket (@$readable, @$writable) {
remove_socket($socket);
if ($socket->connect_SSL) {
# SSL handshake done
warn 'connected';
delete $sockets{fileno $socket};
make_socket();
next;
}
if ($SSL_ERROR == SSL_WANT_READ) {
push @want_read, $socket;
}
elsif ($SSL_ERROR == SSL_WANT_WRITE) {
push @want_write, $socket;
}
else {
# unexpected error
warn 'unexpected: ', $SSL_ERROR;
delete $sockets{fileno $socket};
make_socket();
}
}
# timeout check
my $time = time;
for my $socket ($sel_for_read->handles, $sel_for_write->handles) {
if ($time - $sockets{fileno $socket} > TIMEOUT) {
warn 'timeout';
remove_socket($socket);
delete $sockets{fileno $socket};
make_socket();
}
}
# add again for next iteration
$sel_for_read->add(@want_read);
$sel_for_write->add(@want_write);
}
sub make_socket {
my $socket = IO::Socket::INET->new(PeerAddr => '127.0.0.1', PeerPort => 1081, Blocking => 0) or die $@;
IO::Socket::SSL->start_SSL($socket, SSL_startHandshake => 0) or die $SSL_ERROR;
$sockets{fileno $socket} = time;
$sel_for_write->add($socket);
}
sub remove_socket {
my $socket = shift;
$sel_for_read->remove($socket);
$sel_for_write->remove($socket);
}Memory usage of this client script grows without a stop, however I can see that IO::Socket::SSL::DESTROY called and size of script variables is constant.
t/auto_verify_hostname.t hangs if URI is not present.
Our RPM suite is hanging building IO::Socket::SSL if URI is not installed.
Based on the requirements from Makefile.PL, only these rpms need to be present to run the test suite for IO::Socket::SSL.
cpanel-perl-526-5.26.0-1.cp1170.x86_64.rpm
cpanel-perl-526-Mozilla-CA-20170227-1.cp1170.noarch.rpm
cpanel-perl-526-Net-SSLeay-1.81-1.cp1170.x86_64.rpm
However Until I hadd URI as a dep, the test suite hangs while running t/auto_verify_hostname.t.
Is this a known issue?
Pessimistic version number for SNI support in OpenSSL
Reading the code (SSL.pm:41), it looks like you're requesting OpenSSL 1.0.0 to enable client SNI. After some research it seems that SNI was enabled (by default, prior to that it was a configure flag one had to enable by hand) in OpenSSL 0.9.8j.
According to http://www.openssl.org/docs/crypto/OPENSSL_VERSION_NUMBER.html this would be : 0x0009080af
After changing 0x010000000 to this value, I was able to correctly install the latest version of IO::Socket::SSL without errors.
Would you like me to make a proper PR for this?
Thank you for your work on this distribution, it actually saved my bacon a couple of weeks ago when some other language was getting on my nerves. You can't beat the Internet Swiss army chainsaw that comes with Perl.
IO::Socket::SSL supports TLSv1.0
Per the POD:
IO::Socket::SSL tries to set these values to reasonable, secure values which are compatible with the rest of the world. But, there are some scripts or modules out there which tried to be smart and get more secure or compatible settings. Unfortunately, they did this years ago and never updated these values, so they are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11). Or they set 'HIGH' as the cipher list and thought they were secure, but did not notice that 'HIGH' includes anonymous ciphers, e.g. without identification of the peer.
So it is recommended to leave the settings at the secure defaults which IO::Socket::SSL sets and which get updated from time to time to better fit the real world.
Keeping the "secure" defaults would allow TLSv1.0. TLSv1.0 is insecure and broken. POODLE and BEAST exploits already exist for it. Using it will break PCI DSS in June 2018.
Let's just change default SSL_version to SSLv23:!SSLv2:!SSLv3:!TLSv1.
out of filehandles
Hello,
I am not sure if this is even a bug or a documentation issue.
I was creating a couple of ssl connections with IO::Socket::SSL->new(...). unfortunatelly I was running out of open file descriptors. Of course the related files need to be read out but the code examples in the documentation lead to the assumption that you "just" need to check the return value of IO::Socket::SSL->new().
SSL_cert_file ../var/certs/server.crt can't be used: Too many open files at /opt/perl/lib/site_perl/5.26.0/IO/Socket/SSL.pm line 2258.
IO::Socket::SSL::SSL_Context::new("IO::Socket::SSL::SSL_Context", HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/SSL.pm line 641
IO::Socket::SSL::configure_SSL(IO::Socket::SSL=GLOB(0x95dcb38), HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/SSL.pm line 607
IO::Socket::SSL::configure(IO::Socket::SSL=GLOB(0x95dcb38), HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/x86_64-linux-multi/IO/Socket.pm line 48
IO::Socket::new(...) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/IP.pm line 369
Would it make sense to catch this error inside the API and just return undef for IO::Socket::SSL->new() and set the error variable?
t/nonblock.t test fails on armv6l
Both the multiple write attempts tests fail for me on a single processor RaspberryPi under the following conditions. System perl (same versions) on a multi processor Pi results in successful test with and without patch.
| software | system perl | perlbrew |
|---|---|---|
| perl | v5.24.1 | v5.26.2 |
| Net::SSLeay | 1.80 | 1.85 |
| URI | 1.71 | 1.74 |
$ prove -lv t/nonblock.t
t/nonblock.t ..
1..27
ok # [server] Server Initialization
ok # [server] 1e-09
ok # [server] tcp accept
# connect in progress
ok # [client] client tcp connect
ok # [server] received plain text
# wrote 9 bytes
ok # [client] write plain text
ok # [server] upgrade to_client to IO::Socket::SSL
ok # [client] upgrade client to IO::Socket::SSL
# SSL wants a read first
# SSL wants a read first
ok # [client] connected
ok # [client] nonblocking connect with 2 attempts
ok # [server] ssl accept handshake done
# sndbuf=16384
ok # [server] received client message
# read 30000 (1 r/w attempts)
# $!=Connection reset by peer $SSL_ERROR=SSL write error (5) send=205660
# connection closed
ok # [client] syswrite
not ok # [client] multiple write attempts
ok # [client] 30000 bytes send
ok # [server] tcp acceptMy current workaround is doubling the sleep time on line 336
diff --git a/t/nonblock.t b/t/nonblock.t
index ad62799..85b5cf5 100644
--- a/t/nonblock.t
+++ b/t/nonblock.t
@@ -333,7 +333,7 @@ if ( $pid == 0 ) {
#diag($buf);
ok( "received client message" );
- sleep(5);
+ sleep(10);
my $bytes_received = 10;
# read up to 30000 bytes from client, then close the socketNo git tags
This git repo has no tags, which makes code archaeology a bit hard.
Could you add tags corresponding to CPAN releases?
PublicSuffix module is unable to distinguish real and phony TLDs
root@felipe 13:18:30 cpstore_client *
> perl -MIO::Socket::SSL::PublicSuffix -E'say for scalar IO::Socket::SSL::PublicSuffix->default()->public_suffix("q.co.nz")'
co.nz
OK
root@felipe 13:19:07 cpstore_client *
> perl -MIO::Socket::SSL::PublicSuffix -E'say for scalar IO::Socket::SSL::PublicSuffix->default()->public_suffix("q.co.nzzzz")'
nzzzz
^^^ The above seems to indicate that the โTLDโ for the 2nd domain is โnzzzzโ. There is nothing that a caller can do to distinguish this from the case where โnzzzzโ is a real TLD.
This seems like a problem โฆ ? Potentially one causing breakage in IO::Socket::SSL?
Trouble with Mojo::IOLoop::TLS
I have error when trying to do two concurrent requests which upgrades to tls.
#!/usr/bin/perl
use Mojo::Base -strict;
use Mojo::IOLoop;
use Mojo::IOLoop::TLS;
use Mojo::IOLoop::Client;
use Mojo::IOLoop::Server;
#$IO::Socket::SSL::DEBUG = 3;
my $server = Mojo::IOLoop::Server->new;
my $client = Mojo::IOLoop::Client->new;
my ($server_handle, $client_handle);
my ($client_stream, $server_stream);
sub upgrade_handle {
my ($handle, $is_server, $cb) = @_;
my $tls = Mojo::IOLoop::TLS->new($handle);
$tls->on(upgrade => sub { $cb->(pop) });
$tls->on(error => sub { warn pop });
$tls->negotiate(server => $is_server);
}
sub upgrade_handles {
Mojo::IOLoop->delay(
sub {
my $d = shift;
upgrade_handle($server_handle, 1, $d->begin(0));
upgrade_handle($client_handle, 0, $d->begin(0));
}, sub {
my ($d, $server_handle, $client_handle) = @_;
say 'YEAH';
Mojo::IOLoop->singleton->reactor->io($server_handle => sub {})->watch($server_handle, 1, 0);
Mojo::IOLoop->singleton->reactor->io($client_handle => sub {})->watch($client_handle, 1, 0);
}
);
}
$client->on(connect => sub {
$client_handle = pop;
#upgrade_handles();
Mojo::IOLoop->timer(0.1 => sub { upgrade_handles() });
});
$client->on(error => sub { warn pop });
$server->on(accept => sub {
$server_handle = pop;
$client->connect(address => 'www.yandex.ru', port => 443);
});
$server->listen(port => 8443);
$server->start;
Mojo::IOLoop->start;I have this errors when run this script
$ perl 9.pl
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
YEAH
^C
$
Client send message with that request
$ curl -k "https://127.0.0.1:8443"
I try to discuss this problem in mojo irc channel, but nobody understand me.
When i enable debug mode for IO::Socket::SSL, i see output like that:
connect -> -1
accept -> -1
accept -> -1
accept -> 1
handshake done, socket ready
connect -> -1
local error: SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
accpet -> -1
local error: SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
accept -> -1
connect -> -1
connect -> 1
ssl handshake done
So, after accept ssl handshake IO::Socket::SSL begin accept it again.
If comment client upgrade or server upgrade then all will work perfectly.
So, problem occure when exists two concurrent requests.
I don't konw what to do...
Client cert chains should not be required to be built
Server certificate files can (and arguably should!) be a single file with the chain of certificates concatenated all the way down to the root certificate. This is efficient and simple.
Unfortunately, client certificates do not work this way, and will only read the first certificate in a file and will only build the cert to the root cert, requiring the user to have all of the certificates that the client cert is based on (ie all the certs in the chain) in the CA store of the client.
For simplicity's sake I'd rather only store my root CA in my CA store, and have the client and server both just have chainfiles instead of single pem files. I suspect that the reason this works this way is that it's how OpenSSL works by default, as s_client from openssl acts the same way. But curl, which uses openssl on my system, allows the user to set client cert file which is a chainfile, so I suspect it's doable, just a bit of work.
I can try my hand at figuring this out, but I am mostly a pure-perl dev and don't know much about the guts of OpenSSL, XS, and other weird stuff like that. If I were to do this I'd see how curl is doing it.
Can't Build IO::Socket::SSL In Darwin
A failure to build IO::Socket::SSL on Darwin causes Alien::Base::ModuleBuild to fail to download the Artistic Style source tarball, which causes Alien::astyle to fail to build, which causes RPerl to fail to build.
http://www.cpantesters.org/cpan/report/b8ef9f4a-d8ed-11e6-b252-0c7aa522188b
Below is the (not exactly intuitive) error message from Alien::Base::ModuleBuild which tells us it has experienced a network failure, in this case the lack of IO::Socket::SSL...
Internal Exception at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ModuleBuild.pm line 382.
Could not find any matching files at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ModuleBuild.pm line 382.
Can't call method "version" on an undefined value at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ModuleBuild.pm line 391.
syswrite does not properly report SSL_ERROR_SYSCALL
Documentation states (http://search.cpan.org/~sullr/IO-Socket-SSL-2.050/lib/IO/Socket/SSL.pod#syswrite):
syswrite will write all the data within a single SSL frame, which means, that no more than 16.384 bytes, which is the maximum size of an SSL frame, can be written at once.
There are two issues here. First, it is unclear whether a call with a length of more than 16384 should result in an error or a partial write.
Second, it is actually an error, but it is not reported very well.
syswrite calls _generic_write which (in case of non-blocking socket) calls Net::SSLeay::write_partial.
When write_partial returns error, _skip_rw_error checks for ERROR_WANT_READ and ERROR_WANT_READ, but silently discards all other errors.
As a result, syswrite returns undef but does not set $!, which confuses callers.
In particular, see libwww-perl/libwww-perl#264.
Without digging deeper into code, my first proposal would be to report all SSL error codes,
not only whose corresponding to $!{EWOULDBLOCK}.
windows bugs
Just testing out some of the crypto and ssl commands on windows. Some incompatibility between basic syntax and my compiler, and some password-protected private keys included in Certs for some reason. Also some invalid cert files.
Version 2.057 fails tests t/session_ticket.t
I believe commit 111eccd, "add use of client certificates to t/session_ticket.t", is preventing the most recent version of IO::Socket::SSL from passing tests on my machine. If I revert this one commit, all tests pass.
Let me know what additional debugging information will be useful for you, if any. I'm also glad to test any fixes.
Test output:
$ make test
Skip blib/lib/IO/Socket/SSL/Intercept.pm (unchanged)
Skip blib/lib/IO/Socket/SSL/PublicSuffix.pm (unchanged)
Skip blib/lib/IO/Socket/SSL/Utils.pm (unchanged)
Skip blib/lib/IO/Socket/SSL.pm (unchanged)
Skip blib/lib/IO/Socket/SSL.pod (unchanged)
PERL_DL_NONLAZY=1 "/data/home/jmaslak/perl5/perlbrew/perls/perl-5.28.0/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
t/01loadmodule.t .................. 1/3 # openssl version compiled=0x1010007f linked=0x1010007f -- OpenSSL 1.1.0g 2 Nov 2017
# Net::SSLeay version=1.85
# parent IO::Socket::IP version=0.39
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
t/external/ocsp.t ................. # tcp connect to www.chksum.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# got stapled response as expected
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
t/external/ocsp.t ................. 1/3 # tcp connect to www.bild.de:443 ok
# tcp connect to revoked.grc.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
t/external/ocsp.t ................. ok
t/external/usable_ca.t ............ # found 149 CA certs
# have root CA for www.bild.de in store
# 5 connections to www.bild.de ok
t/external/usable_ca.t ............ 1/21 # have root CA for www.yahoo.com in store
# 5 connections to www.yahoo.com ok
t/external/usable_ca.t ............ 4/21 # have root CA for www.comdirect.de in store
# 5 connections to www.comdirect.de ok
t/external/usable_ca.t ............ 7/21 # have root CA for meine.deutsche-bank.de in store
# 5 connections to meine.deutsche-bank.de ok
t/external/usable_ca.t ............ 10/21 # have root CA for www.twitter.com in store
# 5 connections to www.twitter.com ok
t/external/usable_ca.t ............ 13/21 # have root CA for www.facebook.com in store
# 5 connections to www.facebook.com ok
# fingerprint www.facebook.com matches
# check www.facebook.com against builtin CA store ok
# have root CA for www.live.com in store
# 5 connections to www.live.com ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
t/plain_upgrade_downgrade.t ....... # -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
t/plain_upgrade_downgrade.t ....... 1/15 # server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled without SSLv3 support
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/session_ticket.t ................ # listen at 127.0.0.1:45027
# listen at 127.0.0.1:47497
# connect to 0: error: ,SSL connect attempt failed error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate
t/session_ticket.t ................ 1/6
# Failed test 'no initial session -> no reuse'
# at t/session_ticket.t line 67.
# got: undef
# expected: '0'
# Failed test 'Can't use an undefined value as a symbol reference at t/session_ticket.t line 68.
# '
# at ./t/testlib.pl line 39.
# Looks like your test exited with 1 just after 2.
t/session_ticket.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 6/6 subtests
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok
Test Summary Report
-------------------
t/session_ticket.t (Wstat: 256 Tests: 2 Failed: 2)
Failed tests: 1-2
Non-zero exit status: 1
Parse errors: Bad plan. You planned 6 tests but ran 2.
Files=38, Tests=796, 74 wallclock secs ( 0.21 usr 0.10 sys + 6.00 cusr 1.04 csys = 7.35 CPU)
Result: FAIL
Failed 1/38 test programs. 2/796 subtests failed.
Makefile:879: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255
Tests fails with Openssl 1.1.1-stable branch
Tests fails with Openssl 1.1.1-stable branch
I believe this is started with openssl/openssl@db943f4
Seems like new behaviour happens with EOF, and this trips up io-socket-ssl testsuite.
Code with typo is reached when using session_cache
A mistyped $self is reached when using session_cache:
my $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} || self->_update_peer;
p5-io-socket-ssl/lib/IO/Socket/SSL.pm
Line 884 in 8e7f7ff
Error in regular expression causing sendmail malfunction
Description of this issue can be found here.
In that thread there is also a solution:
The bug appears to be in line 1490 of /usr/local/share/perl/5.14.2/IO/Socket/SSL.pm.
change:
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i
to:
m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))}i
Different base class?
Hi - Would it be possible to have the base class as a parameter? One use case is to have SSL connections through SOCKS. To do that currently, I had to duplicate the whole SSL.pm in a new package just to have a different @isa (IO::Socket::Socks). It works, but such duplication does not feel like the right think to do.
There might be a a much more simple option, but I'm still a Perl noob
Thanks
t\verify_hostname_standalone.t #78 fails on Windows 8.1
C:\> prove -vb t\verify_hostname_standalone.t ... not ok 78 - 1 != 0 |[::4.5.6.9]: cn= san=IP:0000:0000:0000:0000:0000:0000:0405:0609 # Failed test '1 != 0 |[::4.5.6.9]: cn= san=IP:0000:0000:0000:0000:0000:0000:0405:0609' # at t\verify_hostname_standalone.t line 55. # Looks like you failed 1 test of 78.
Windows 8.1 Pro 64-bit
OpenSSL 1.0.2a 19 Mar 2015
Visual Studio 2013 tools:
cl /? Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x64
nmake /? Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
Summary of my perl5 (revision 5 version 20 subversion 2) configuration:
Platform:
osname=MSWin32, osvers=6.3, archname=MSWin32-x64-multi-thread
uname=''
config_args='undef'
hint=recommended, useposix=true, d_sigaction=undef
useithreads=define, usemultiplicity=define
use64bitint=define, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cl', ccflags ='-nologo -GF -W3 -O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise -DWIN32 -D_CONSOLE -DNO_STRICT -DWIN64 -DCONSERVATIVE -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DUSE_64_BIT_ALL -DPERL_TEXTMODE_SCRIPTS -DUSE_SITECUSTOMIZE -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO',
optimize='-O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise',
cppflags='-DWIN32'
ccversion='18.00.31101', gccversion='', gccosandvers=''
intsize=4, longsize=4, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8
ivtype='__int64', ivsize=8, nvtype='double', nvsize=8, Off_t='__int64', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\opt\perl-5.20.2\lib\CORE" -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
libpth="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\lib\amd64"
libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl520.lib
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\opt\perl-5.20.2\lib\CORE" -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
Characteristics of this binary (from libperl):
Compile-time options: HAS_TIMES HAVE_INTERP_INTERN MULTIPLICITY
PERLIO_LAYERS PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS
PERL_MALLOC_WRAP PERL_NEW_COPY_ON_WRITE
PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT
USE_ITHREADS USE_LARGE_FILES USE_LOCALE
USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
USE_SITECUSTOMIZE
Built under MSWin32
Compiled at Feb 16 2015 08:44:56
%ENV:
PERLDOC_PAGER="c:\opt\cygwin64\bin\less.exe -+C -E -F -g -i"
@INC:
c:/opt/perl-5.20.2/site/lib/MSWin32-x64-multi-thread
c:/opt/perl-5.20.2/site/lib
c:/opt/perl-5.20.2/lib
.t/session_ticket.t failing in Fedora Rawhide
Test results:
$ make test
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harne
ss(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
# openssl version=0x1010003f
# Net::SSLeay version=1.80
# parent IO::Socket::IP version=0.38
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
# tcp connect to www.chksum.de:443 ok
# tcp connect to www.spiegel.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to revoked.grc.com:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
t/external/ocsp.t ................. ok
# found 154 CA certs
# have root CA for www.twitter.com in store
# 5 connections to www.twitter.com ok
# have root CA for www.facebook.com in store
# 5 connections to www.facebook.com ok
# have root CA for www.live.com in store
# 5 connections to www.live.com ok
# fingerprint www.live.com matches
# check www.live.com against builtin CA store ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
# -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
# failed to accept SSLv3
# looks like OpenSSL was compiled without SSLv3 support
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
# listen at 127.0.0.1:54715
# listen at 127.0.0.1:42263
# connect to 0: success reuse=0
# connect to 0: success reuse=0
# Failed test 'reuse with the next session and secret[0]'
# at t/session_ticket.t line 57.
# got: '0'
# expected: '1'
# connect to 1: success reuse=0
# Failed test 'reuse even though server changed, since they share ticket secret'
# at t/session_ticket.t line 57.
# got: '0'
# expected: '1'
# connect to 1: success reuse=0
# connect to 0: success reuse=0
# connect to 0: success reuse=0
# Failed test 'reuse again since got ticket with secret[0] in last step'
# at t/session_ticket.t line 57.
# got: '0'
# expected: '1'
# Looks like you failed 3 tests of 6.
t/session_ticket.t ................
Dubious, test returned 3 (wstat 768, 0x300)
Failed 3/6 subtests
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok
Test Summary Report
-------------------
t/session_ticket.t (Wstat: 768 Tests: 6 Failed: 3)
Failed tests: 2-3, 6
Non-zero exit status: 3
Files=38, Tests=798, 54 wallclock secs ( 0.10 usr 0.02 sys + 3.32 cusr 0.36 csys = 3.80 CPU)
Result: FAIL
Failed 1/38 test programs. 3/798 subtests failed.
make: *** [Makefile:791: test_dynamic] Error 255
The most significant difference between the failing Rawhide build and the Fedora 25 build (which works) is that Rawhide has OpenSSL 1.1.0c and Fedora 25 has OpenSSL 1.0.2j.
All my builds for older Fedora/RHEL versions work OK.
Memleak when using the CRL feature ($crl not freed !)
Hi,
i posted the bug report 2 weeks ago but it hasn't been processed since then.
It's a major bug and should be fixed in time.
I'm sure i'm not the only one to use the CRL feature though.
Link for your convenience:
https://rt.cpan.org/Public/Bug/Display.html?id=125888
Best regards
Franz
[Win32] io-socket-ip test failure
Not certain why I see this failure as I have IO::Socket::IP ->VERSION(0.20) && IO::Socket::IP ->VERSION != 0.30 installed in Perl Core.
IO::Socket::IP is installed in PERL and the version is 0.34 (> 0.20 and != 0.30) ? So
Output from test is:
perl.exe "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib\lib', 'blib\arch')" t/io-socket-ip.t
[20:23:15] t/io-socket-ip.t ..
1..1
not ok # automatic use of IO::Socket::IP
Failed 1/1 subtests
[20:23:16]
Test Summary Report
t/io-socket-ip.t (Wstat: 0 Tests: 1 Failed: 1)
Failed test: 1
Files=1, Tests=1, 1 wallclock secs ( 0.13 usr + 0.06 sys = 0.19 CPU)
Result: FAIL
Failed 1/1 test programs. 1/1 subtests failed
My Perl:
Summary of my perl5 (revision 5 version 20 subversion 1) configuration:
Platform:
osname=MSWin32, osvers=5.1, archname=MSWin32-x86-multi-thread-64int
uname='Perl 5.20.1 Sun Oct 19 2014 12:36:06.63'
config_args='undef'
hint=recommended, useposix=true, d_sigaction=undef
useithreads=define, usemultiplicity=define
use64bitint=define, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='gcc', ccflags ='-march=i686 -mtune=generic -pipe -s -O2 -DWIN32 -DPERL_TEXTMODE_SCRIPTS -DUS
E_SITECUSTOMIZE -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO -fwrapv -fno-strict-aliasin
g -mms-bitfields',
optimize='-s -O2',
cppflags='-DWIN32'
ccversion='', gccversion='4.8.2', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='long long', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='g++', ldflags ='-s -L"e:\usr\lib\CORE" -L"e:\usr\mingw32\lib"'
libpth=e:\usr\mingw32\lib e:\usr\mingw32\i686-w64-mingw32\lib
libs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32 -ladvapi32 -lshell32 -lole32 -
loleaut32 -lnetapi32 -luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
perllibs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32 -ladvapi32 -lshell32 -lole
32 -loleaut32 -lnetapi32 -luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
libc=, so=dll, useshrplib=true, libperl=libperl520.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
cccdlflags=' ', lddlflags='-mdll -s -L"e:\usr\lib\CORE" -L"e:\usr\mingw32\lib"'
Characteristics of this binary (from libperl):
Compile-time options: HAS_TIMES HAVE_INTERP_INTERN MULTIPLICITY
PERLIO_LAYERS PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS
PERL_MALLOC_WRAP PERL_NEW_COPY_ON_WRITE
PERL_PRESERVE_IVUV USE_64_BIT_INT USE_ITHREADS
USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE
USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_PERLIO
USE_PERL_ATOF USE_SITECUSTOMIZE
Built under MSWin32
Compiled at Jan 7 2015 19:01:51
%ENV:
PERL_CPAN_REPORTER_DIR="e:\PerlDev\5.20.1\gcc4.reporter"
@inc:
e:/usr/site/lib
e:/usr/vendor/lib
e:/usr/lib
.
readline() returns read data incorrectly in wantarray
Hi
I ran into an issue with IO::Socket::SSL, and it seemed to be an issue in readline() when called in wantarray, e.g. @lines = <$ssl_socket>
If there are only no greater than 2**16 bytes to be read, this will try to sysread again. However, this second call of sysread will either block in blocking mode or return undef , instead of the data already read, if there is no more to read.
Below is the code snippet for quick ref.
while (1) {
my $rv = $self->sysread($buf,2**16,length($buf));
if ( ! defined $rv ) {
next if $!{EINTR};
return;
} elsif ( ! $rv ) {
last
}
}
Many thanks and regards,
M
Default cipher suite includes RC4 ciphers
Leaving SSL_cipher_list out of the options results in the TLS_ECDHE_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_SHA ciphers being used, which leads to a B rating on SSL labs due to the RC4 vulnerability. Passing the following cipher suite fixes this problem:
DEFAULT:!aNULL:!RC4:!MD5
More information:
http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
https://blog.cloudflare.com/killing-rc4-the-long-goodbye/
feature request: support user could fix sni support version
Hello,
I already read RT #83289 and SNI support section of IO::Socket::SSL.
But sometimes if user could know exactly his ssl could support SNI or not, although its version is 0.9.8.x. Current code of IO::Socket::SSL looks like:
if ( $can_client_sni ) {
...
}
...
sub can_client_sni { return $can_client_sni }So, someone who are using ssl 0.9.8 which is backported SNI could not use SNI option. I hope to check using can_client_sni() rather than $can_client_sni lexical variable. Because If user risk the ssl 0.9.8 version then he can override can_client_sni() then he could use SNI features of his SSL.
How about change the code like:
if ( $self->can_client_sni() ) {
...
}If this feature request is not
Please ignore and close this feature request if it is inappropriate. :-)
Thanks!
labels inaccurate
no thanks
Feature request: SSL_cert_file/key_file hash ref for client connections
We're indirectly using your module as part of an application doing large-scale push notifications. Sometimes an endpoint requires a client certificate which we accommodate through SSL_ca_file/cert_file/key_file, but during client connections - unlike the server scenario - the forementioned parameters will only accept string scalars holding a single file, forcing us to create multiple objects in the overlying module making use of IO::Socket::SSL, instead of being able to hand out a common hash ref mapping all of the certs/keys.
It would be useful if IO::Socket::SSL could trawl hash refs with host=>file mappings for SSL_ca_file/cert_file/key_file also in the case of client connections, just as it does for a server scenario.
Passing objects in for filenames fails in a bad way
Sometimes I use IO::All or Path::Class file objects. I accidentally passed one in to IO::Socket::SSL as an SSL_ca_file (indirectly, via Net::Async::HTTP) and end up getting really strange errors.
Here's some code:
use Net::Async::HTTP;
use IO::Async::Loop;
use IO::All;
$loop = IO::Async::Loop->new;
$loop->add(
my $ua = Net::Async::HTTP->new(
SSL_ca_file => io->file('/home/frew/code/root.crt')
)
);
my $res = $ua->GET('https://google.com')->get;
warn $res->status_line . ' ' . $res->decoded_content;
Here's output:
google.com:443 - Operation "eq": no method found,
left argument in overloaded package IO::All::File,
right argument has no overloaded magic at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/SSL.pm line 1992.
failed [Operation "eq": no method found,
left argument in overloaded package IO::All::File,
right argument has no overloaded magic at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/SSL.pm line 1992.
] at foo.pl line 10.
Similarly:
use Net::Async::HTTP;
use IO::Async::Loop;
use Path::Class 'file';
$loop = IO::Async::Loop->new;
$loop->add(
my $ua = Net::Async::HTTP->new(
SSL_ca_file => file('/home/frew/code/root.crt')
)
);
my $res = $ua->GET('https://google.com')->get;
warn $res->status_line . ' ' . $res->decoded_content;
results in
google.com:443 - Not a SCALAR reference at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/SSL.pm line 2006.
failed [Not a SCALAR reference at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/SSL.pm line 2006.
] at foo.pl line 10.
I'm not saying that I think that I think you should support these objects at
all, I just think it would be nice to get a more sensible error message.
For what it's worth, this applies to all of the _file type args, not just the
ca one.
So if you can comment on how you'd like it to work, I'd gladly make a patch, but
I don't want to work on a patch that does too much etc.
Segmentation fault while using IO::Socket::SSL::Utils::PEM_cert2file with CERT_create
Hello,
I discovered something wrong with (probably?) IO::Socket::SSL and the certificate creation utility in IO::Socket::SSL::Utils. First, while I was writing a script using the CERT_create function, along with the PEM_cert2file sub to write it to a file, my script crashed with a SIGSEGV.
So I thought that it was my fault, and inspected the arguments over and over. I also checked the source of IO::Socket::SSL::Utils. However, I discovered that the problem is there even with the default values!
Take a look at this example:
$ perl -MIO::Socket::SSL::Utils -e 'my $crt = CERT_create(); PEM_cert2file($crt, "test_file.pem")'
Segmentation fault (core dumped)Using this this with IO::Socket::SSL version 2.010, Net::SSLeay version 1.68 and OpenSSL version 1.0.2a produces a segmentation fault on two systems of mine. The interesting thing is that if the result of CERT_create is not assigned to a variable, but instead given directly to PEM_cert2file, everything works (however, the cert is saved to a randomly numbered file instead of test_file.pem).
Can you help me? I have been struggling with this for a while, and it may still be my fault!
Let me know if you need any more details.
Thanks!
Session re-use not working on Fedora 26 with current Net-SSLeay and IO-Socket-SSL
I build RPM packages of perl modules including perl-Net-SSLeay and perl-IO-Socket-SSL for a range of Fedora and CentOS distributions. With current Net-SSLeay (1.88), the IO-Socket-SSL test suite fails tests t/session_ticket.t and t/sessions.t on Fedora 26:
$ make test TEST_VERBOSE=1
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 'blib/arch')" t/*.t
# openssl version compiled=0x1010008f linked=0x1010008f -- OpenSSL 1.1.0h-fips 27 Mar 2018
# Net::SSLeay version=1.88
# parent IO::Socket::IP version=0.39
...
# listen at 127.0.0.1:48269
# listen at 127.0.0.1:51889
# connect to 0: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2
# Failed test 'reuse with the next session and secret[0]'
# at t/session_ticket.t line 79.
# got: '0'
# expected: '1'
# connect to 1: success reuse=0 version=TLSv1_2
# Failed test 'reuse even though server changed, since they share ticket secret'
# at t/session_ticket.t line 79.
# got: '0'
# expected: '1'
# connect to 1: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2
# Failed test 'reuse again since got ticket with secret[0] in last step'
# at t/session_ticket.t line 79.
# got: '0'
# expected: '1'
# Looks like you failed 3 tests of 6.
t/session_ticket.t ................
1..6
access to server[0]
creating new ticket key1
server[0] reused=0
ok 1 - no initial session -> no reuse
access to server[0]
creating new ticket key1
server[0] reused=0
not ok 2 - reuse with the next session and secret[0]
access to server[1]
creating new ticket key1
server[1] reused=0
rotate secrets
not ok 3 - reuse even though server changed, since they share ticket secret
access to server[1]
creating new ticket key2
server[1] reused=0
rotate secrets
ok 4 - reports non-reuse since server1 changed secret to secret[1]
access to server[0]
creating new ticket key1
server[0] reused=0
ok 5 - reports non-reuse on server0 since got ticket with secret[1] in last step
access to server[0]
creating new ticket key1
server[0] reused=0
not ok 6 - reuse again since got ticket with secret[0] in last step
Dubious, test returned 3 (wstat 768, 0x300)
Failed 3/6 subtests
Use of uninitialized value in string eq at t/sessions.t line 87.
t/sessions.t ......................
1..17
ok # [server]:31 Server initialization
ok # [client]:59 Context init
ok # [server]:138 Client init
ok # [client]:73 Client init, version=TLSv1_2
not ok # [client]:82 >=3 entries in cache: 0
not ok # [client]:85 127.0.0.1:59449 in cache
not ok # [client]:85 127.0.0.1:56505 in cache
not ok # [client]:85 127.0.0.1:49985 in cache
ok # [server]:143 Server send pong, received ping
not ok # [client]:88 latest (127.0.0.1:49985) on top of cache
not ok # [client]:95 session in client 0
not ok # [client]:95 session in client 1
not ok # [client]:95 session in client 2
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x88d1078) reused
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x8906d30) reused
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x89070c0) reused
ok # [server]:151 Client again init + write + read
Failed 11/17 subtests
...
Test Summary Report
-------------------
t/session_ticket.t (Wstat: 768 Tests: 6 Failed: 3)
Failed tests: 2-3, 6
Non-zero exit status: 3
t/sessions.t (Wstat: 0 Tests: 17 Failed: 11)
Failed tests: 5-8, 10-16
Files=41, Tests=791, 44 wallclock secs ( 0.12 usr 0.03 sys + 6.68 cusr 0.40 csys = 7.23 CPU)
Result: FAIL
Failed 2/41 test programs. 14/791 subtests failed.
The tests pass on all other Fedora/CentOS versions I build for (Fedora 13, CentOS 6 onwards).
Points of interest:
- Fedora 26 has OpenSSL 1.1.0h; Fedora 25 has OpenSSL 1.0.2m and Fedora 27 has 1.1.0i.
- If I downgrade Net-SSLeay to 1.85_09, the tests pass
- With Net-SSLeay 1.88, IO-Socket-SSL 2.060 passes but later versions all fail the same way.
- If I patch Net-SSLeay 1.8.8 so that SSL_SESSION_up_ref is not defined (by changing the OpenSSL version check from 1.1.0 to 1.1.1), the tests pass
I can't really see any change between OpenSSL 1.1.0h and 1.1.0i that would account for this. It's possible it could be related to downstream patching but I don't know.
Any ideas?
Recent change broke Mojolicious
A few days ago you've applied this change f1b51fd, which unfortunately results in Mojolicious tests hanging forever. I don't know yet what exactly the problem is, but wanted to bring it to your attention as fast as possible (before the inevitable wave of bug reports from our users starts). https://travis-ci.org/kraih/mojo/builds/201950894
t/external/ocsp.t failing
I've tried various perls (5.27.4, 5.24.2, 5.24.1) and this test consistently fails. IO::Socket::SSL 2.050 is also failing. This is a recent thing, 2.050 on perl 5.24.2 was working when I installed it in June and on perl 5.27.3 in August.
$ perl -v | grep version
This is perl 5, version 24, subversion 2 (v5.24.2) built for x86_64-linux-thread-multi-ld
(with 1 registered patch, see perl -V for more detail)
$ prove -vl t/01loadmodule.t t/protocol_version.t t/external/ocsp.t
t/01loadmodule.t ......
1..3
ok 1 - loaded
# openssl version=0x1000207f
# Net::SSLeay version=1.81
# parent IO::Socket::IP version=0.39
ok 2 - IO::Socket::SSL::DEBUG 1
ok 3 - Net::SSLeay::trace 1
ok
t/protocol_version.t ..
ok 1 - accept SSLv23 with any, got TLSv1_2
# looks like OpenSSL was compiled without SSLv3 support
ok 2 - accept TLSv1 with any, got TLSv1
ok 3 - accept TLSv1_1 with any, got TLSv1_1
ok 4 - accept TLSv1 with TLSv1
ok 5 - accept SSLv23:!TLSv1_2:!TLSv1_1 with TLSv1
ok 6 - accept TLSv1_1 with TLSv1_1
ok 7 - accept SSLv23:!TLSv1_2 with TLSv1_1
ok 8 - accept TLSv1_2 with TLSv1_2
ok 9 - accept SSLv23 with TLSv1_2
1..9
ok
t/external/ocsp.t .....
1..3
# tcp connect to www.chksum.de:443 ok
ok 1 # skip fingerprints do not match
# tcp connect to www.spiegel.de:443 ok
# fingerprint matches
# validation with default CA w/o OCSP ok
not ok 2 - SSL upgrade with OCSP stapling failed: SSL wants a read first
# Failed test 'SSL upgrade with OCSP stapling failed: SSL wants a read first'
# at t/external/ocsp.t line 93.
# tcp connect to revoked.grc.com:443 ok
ok 3 # skip fingerprints do not match
# Looks like you failed 1 test of 3.
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/3 subtests
(less 2 skipped subtests: 0 okay)
Test Summary Report
-------------------
t/external/ocsp.t (Wstat: 256 Tests: 3 Failed: 1)
Failed test: 2
Non-zero exit status: 1
Files=3, Tests=15, 12 wallclock secs ( 0.04 usr 0.00 sys + 0.42 cusr 0.07 csys = 0.53 CPU)
Result: FAIL
t/session_ticket.t fails with IO::Socket::SSL 2.040 and Net::SSLeay 1.79
Just a little head up,
sskelton:~/dev/test_foo [5.16.3]$ cpanm -Llocal IO::Socket::SSL -v
this fails at:
t/session_ticket.t ................ 1/6 # connect to 0: success reuse=1
# connect to 1: success reuse=1
# connect to 1: success reuse=0
# connect to 0: success reuse=1
# Failed test 'reports non-reuse on server0 since got ticket with secret[1] in last step'
# at t/session_ticket.t line 57.
# got: '1'
# expected: '0'
# connect to 0: success reuse=1
# Looks like you failed 1 test of 6.
t/session_ticket.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/6 subtests
I am on MacOS, with clean perl brew 5.16.3, however this brought to my attention because it failed on our build server which is linux, same perl version,
t\verify_fingerprint.t occasionally hangs when run via `nmake test`
I can't consistently reproduce this. I only notice it when my cpan-outdated | cpanm hangs. My efforts at diagnosing this have failed so far. Once I issue a prove -vb t\verify_fingerprint.t from the command line, it always gets done rather quickly, and subsequent nmake test runs don't hang either.
C:\...\IO-Socket-SSL-2.013> nmake test ... t\verify_fingerprint.t ............ 1/12
That's where it hangs. After this, CTRL-C followed by:
C:\...\IO-Socket-SSL-2.013> prove -vb t\verify_fingerprint.t t\verify_fingerprint.t .. 1..12 ok 1 - accept fp1 for saddr1 ok 2 - accept fp2 for saddr2 ok 3 - reject ifp2 for saddr2 ok 4 - reject fp2 for saddr1 ok 5 - reject fp1 for saddr2 ok 6 - accept fp1|fp2 for saddr1 ok 7 - accept fp1|fp2 for saddr2 ok 8 - accept fp2 for saddr2 even if ca1 given ok 9 - accept ca2 for saddr2 ok 10 - reject ca2 for saddr1 ok 11 - accept ca[12] for saddr1 ok 12 - reject non-ca cert1 as ca for saddr1 ok All tests successful. Files=1, Tests=12, 4 wallclock secs ( 0.06 usr + 0.05 sys = 0.11 CPU) Result: PASS
I know this is very little information to go on. I'll update if I can figure out anything else.
OS:
Windows 8.1 Pro 64-bit.
Summary of my perl5 (revision 5 version 20 subversion 2) configuration:
Platform:
osname=MSWin32, osvers=6.3, archname=MSWin32-x64-multi-thread
uname=''
config_args='undef'
hint=recommended, useposix=true, d_sigaction=undef
useithreads=define, usemultiplicity=define
use64bitint=define, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cl', ccflags ='-nologo -GF -W3 -O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise -DWIN32 -D_CONSOLE -DNO_STRICT -DWIN64 -DCONSERVATIVE -D_CRT_SECURE_NO_DEPRECATE -D_CRT_NONSTDC_NO_DEPRECATE -DUSE_64_BIT_ALL -DPERL_TEXTMODE_SCRIPTS -DUSE_SITECUSTOMIZE -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO',
optimize='-O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise',
cppflags='-DWIN32'
ccversion='18.00.31101', gccversion='', gccosandvers=''
intsize=4, longsize=4, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8
ivtype='__int64', ivsize=8, nvtype='double', nvsize=8, Off_t='__int64', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\opt\perl-5.20.2\lib\CORE" -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
libpth="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\lib\amd64"
libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl520.lib
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg -libpath:"c:\opt\perl-5.20.2\lib\CORE" -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
Characteristics of this binary (from libperl):
Compile-time options: HAS_TIMES HAVE_INTERP_INTERN MULTIPLICITY
PERLIO_LAYERS PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS
PERL_MALLOC_WRAP PERL_NEW_COPY_ON_WRITE
PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT
USE_ITHREADS USE_LARGE_FILES USE_LOCALE
USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF
USE_SITECUSTOMIZE
Built under MSWin32
Compiled at Feb 16 2015 08:44:56
%ENV:
PERLDOC_PAGER="c:\opt\cygwin64\bin\less.exe -+C -E -F -g -i"
@INC:
c:/opt/perl-5.20.2/site/lib/MSWin32-x64-multi-thread
c:/opt/perl-5.20.2/site/lib
c:/opt/perl-5.20.2/lib
.
OpenSSL:
C:\> c:\opt\openssl\bin\openssl.exe version OpenSSL 1.0.2a 19 Mar 2015
Visual Studio 2013:
cl /? Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x64
nmake /? Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
missing certs in latest release.
I tried to update I:S:S this morning but the sni*.t tests failed, complaining about 1 test ran out of 17 planned. Running said tests verbosely, I get this error :
not ok # SSL_cert_file certs/server2-cert.pem can't be used: No such file or directory at /usr/home/xxx/.cpanm/work/1516570603.23798/IO-Socket-SSL-2.053/lib/IO/Socket/SSL.pm line 2256
And indeed, the file is missing in the certs directory. Also, there is no mention of this file in MANIFEST. They seem to be fairly new (github claims they were created 7 days ago), could it be that you forgot to add them in your release procedure?
Best regards,
Bug to get client certificate
- Perl version: v5.22.1 built for x86_64-linux-gnu-thread-multi
- Operating system: Ubuntu 16.04 LTS
- IO::Socket::SSL: 2.027
- OpenSSL: 1.0.2g-fips 1 Mar 2016
Steps to reproduce the behavior
Generate keys
openssl req -nodes -new -x509 -keyout server.key -out server.cert
openssl req -nodes -new -x509 -keyout client.key -out client.cert
Run server
Get server from examples ss_server.pl
perl ss_server.pl -d -C server.cert -K server.key 127.0.0.1:3000
Run client
openssl s_client -connect 127.0.0.1:3000 -cert client.cert -key client.key
Server output
perl ss_server.pl -d -C server.cert -K server.key 127.0.0.1:3000
waiting for next connection.
new SSL connection without client certificate
waiting for next connection.
No client certificate
Expected behavior
Client certificate must be.
To verify that the certificate is loaded, you can replace the server with openssl
openssl s_server -cert server.cert -key server.key -accept 3000 -Verify 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.