[Bug 1059002] New: On F19, perl's IO::Socket::SSL has problems verifying server's certificate (but works on F20)

bugzilla at redhat.com bugzilla at redhat.com
Tue Jan 28 23:58:25 UTC 2014 

https://bugzilla.redhat.com/show_bug.cgi?id=1059002

            Bug ID: 1059002
           Summary: On F19, perl's IO::Socket::SSL has problems verifying
                    server's certificate (but works on F20)
           Product: Fedora
           Version: 19
         Component: perl-IO-Socket-SSL
          Assignee: paul at city-fan.org
          Reporter: bughunt at gluino.name
        QA Contact: extras-qa at fedoraproject.org
                CC: jpo at di.uminho.pt, paul at city-fan.org,
                    perl-devel at lists.fedoraproject.org



Description of problem:
=======================

I run a DNS update on DynDNS servers using the "ddclient" script.

"ddclient" uses "IO::Socket::SSL" 

  (see http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm) 

to set up an https connection to 

  https://members.dyndns.org

in order to to submit update data.

The root certificate authority certificate for this connection is

------------------
  Data:
      Version: 3 (0x2)
      Serial Number: 33554617 (0x20000b9)
  Signature Algorithm: sha1WithRSAEncryption
      Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
      Validity
          Not Before: May 12 18:46:00 2000 GMT
          Not After : May 12 23:59:00 2025 GMT
      Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
------------------

This certificate can be found in the bundle file

  /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt

on both Fedora 19 and Fedora 20.

Certificate in PEM format for greppability:

-----BEGIN TRUSTED CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmpMDEwFAYIKwYBBQUHAwQGCCsGAQUF
BwMBDBlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290
-----END TRUSTED CERTIFICATE-----


Problem
=======


Running "ddclient" on Fedora 20 
(which has perl-IO-Socket-SSL-1.955-1.fc20.noarch) 
works.

Running "ddclient" on Fedora 19 
(which has perl-IO-Socket-SSL-1.88-1.fc19.noarch) 
results in connection failure:

-----
"WARNING:  cannot connect to members.dyndns.org:443 socket:  IO::Socket::IP
configuration failed SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed"
-----

(Sorry for the horrific formatting, but that is the way it is)


The code to connect to the DynDNS server is:

-----
  $sd = IO::Socket::SSL->new(
            PeerAddr => $peer,
            PeerPort => $port,
            Proto => 'tcp',
            MultiHomed => 1,
            SSL_verify_mode => SSL_VERIFY_PEER,
            Timeout => opt('timeout'),
        );
-----

It turns out that explicitly specifying the trusted CA file in this call makes
things work on Fedora 19:

-----
 $sd = IO::Socket::SSL->new(
            PeerAddr => $peer,
            PeerPort => $port,
            Proto => 'tcp',
            MultiHomed => 1,
            SSL_verify_mode => SSL_VERIFY_PEER,
            Timeout => opt('timeout'),
            SSL_ca_file =>
'/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
        );
-----


Conclusion is that "IO::Socket:SSL" does not fetch its trusted CA file from the
expected place, at least on Fedora 19.

Additionally, note that "IO::Socket::SSL" doesn't care about the debugging
setting as explained in

http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm#DEBUGGING

for some reason.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=mWs4iivc7r&a=cc_unsubscribe

More information about the perl-devel mailing list