[Bug 1059002] New: On F19, perl's IO::Socket::SSL has problems verifying server's certificate (but works on F20)
bugzilla at redhat.com
bugzilla at redhat.com
Tue Jan 28 23:58:25 UTC 2014
https://bugzilla.redhat.com/show_bug.cgi?id=1059002
Bug ID: 1059002
Summary: On F19, perl's IO::Socket::SSL has problems verifying
server's certificate (but works on F20)
Product: Fedora
Version: 19
Component: perl-IO-Socket-SSL
Assignee: paul at city-fan.org
Reporter: bughunt at gluino.name
QA Contact: extras-qa at fedoraproject.org
CC: jpo at di.uminho.pt, paul at city-fan.org,
perl-devel at lists.fedoraproject.org
Description of problem:
=======================
I run a DNS update on DynDNS servers using the "ddclient" script.
"ddclient" uses "IO::Socket::SSL"
(see http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm)
to set up an https connection to
https://members.dyndns.org
in order to to submit update data.
The root certificate authority certificate for this connection is
------------------
Data:
Version: 3 (0x2)
Serial Number: 33554617 (0x20000b9)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
Validity
Not Before: May 12 18:46:00 2000 GMT
Not After : May 12 23:59:00 2025 GMT
Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root
------------------
This certificate can be found in the bundle file
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt
on both Fedora 19 and Fedora 20.
Certificate in PEM format for greppability:
-----BEGIN TRUSTED CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmpMDEwFAYIKwYBBQUHAwQGCCsGAQUF
BwMBDBlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290
-----END TRUSTED CERTIFICATE-----
Problem
=======
Running "ddclient" on Fedora 20
(which has perl-IO-Socket-SSL-1.955-1.fc20.noarch)
works.
Running "ddclient" on Fedora 19
(which has perl-IO-Socket-SSL-1.88-1.fc19.noarch)
results in connection failure:
-----
"WARNING: cannot connect to members.dyndns.org:443 socket: IO::Socket::IP
configuration failed SSL connect attempt failed with unknown error
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
failed"
-----
(Sorry for the horrific formatting, but that is the way it is)
The code to connect to the DynDNS server is:
-----
$sd = IO::Socket::SSL->new(
PeerAddr => $peer,
PeerPort => $port,
Proto => 'tcp',
MultiHomed => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
Timeout => opt('timeout'),
);
-----
It turns out that explicitly specifying the trusted CA file in this call makes
things work on Fedora 19:
-----
$sd = IO::Socket::SSL->new(
PeerAddr => $peer,
PeerPort => $port,
Proto => 'tcp',
MultiHomed => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
Timeout => opt('timeout'),
SSL_ca_file =>
'/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
);
-----
Conclusion is that "IO::Socket:SSL" does not fetch its trusted CA file from the
expected place, at least on Fedora 19.
Additionally, note that "IO::Socket::SSL" doesn't care about the debugging
setting as explained in
http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm#DEBUGGING
for some reason.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=mWs4iivc7r&a=cc_unsubscribe
More information about the perl-devel
mailing list