On Mon May 04 14:41:13 2015, SREZIC wrote:
Show quoted text> On 2015-05-04 13:41:21, SREZIC wrote:
> > On 2015-05-01 13:14:57, DWHEELER wrote:
> > > $ prove -l t
> > > t/apache.t ....... 1/5
> > > # Failed test at t/apache.t line 15.
> > >
> > > # Failed test at t/apache.t line 18.
> > > # 'Can't connect to www.apache.org:443
> > > (certificate
> > > verify failed)
> > > #
> > > # SSL connect attempt failed error:14090086:SSL
> > > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
> > > /usr/share/perl5/vendor_perl/LWP/Protocol/http.pm line 47.
> > > # '
> > > # doesn't match '(?^:Apache Software Foundation)'
> > > # Looks like you failed 2 tests of 5.
> > > t/apache.t ....... Dubious, test returned 2 (wstat 512, 0x200)
> > > Failed 2/5 subtests
> > > t/https_proxy.t .. 1/56 # creating cert for direct.ssl.access
> > > # creating cert for direct.ssl.access
> > > # creating cert for foo
> > > # creating cert for bar
> > > # creating cert for foo
> > > # creating cert for foo
> > > # creating cert for bar
> > > # creating cert for bar
> > > t/https_proxy.t .. ok
> > >
> > > Test Summary Report
> > > -------------------
> > > t/apache.t (Wstat: 512 Tests: 5 Failed: 2)
> > > Failed tests: 1, 3
> > > Non-zero exit status: 2
> > > Files=2, Tests=61, 1 wallclock secs ( 0.05 usr 0.00 sys + 0.63
> > > cusr
> > > 0.03 csys = 0.71 CPU)
> > > Result: FAIL
> > >
> > > $ perl -v
> > >
> > > This is perl 5, version 16, subversion 3 (v5.16.3) built for
> > > x86_64-
> > > linux-thread-multi
> > > (with 25 registered patches, see perl -V for more detail)
> > >
> > > Copyright 1987-2012, Larry Wall
> > >
> > > Perl may be copied only under the terms of either the Artistic
> > > License
> > > or the
> > > GNU General Public License, which may be found in the Perl 5 source
> > > kit.
> > >
> > > Complete documentation for Perl, including FAQ lists, should be
> > > found
> > > on
> > > this system using "man perl" or "perldoc perl". If you have access
> > > to
> > > the
> > > Internet, point your browser at
http://www.perl.org/, the Perl Home
> > > Page.
> > >
> > > $ uname -a
> > > Linux pdxdvddb01.iovationnp.com 3.10.0-123.13.1.el7.x86_64 #1 SMP
> > > Tue
> > > Dec 9 23:06:09 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
> > >
> > >
> > >
> > >
> > >
> > > --------
> > >
> > > Maybe there's a dependent module that needs to be updated?
> >
> > Or it has something to do with this:
> >
https://blogs.apache.org/infra/entry/apache_services_and_sha_1
> > ?
>
> Ok, it seems that apache.org changed their certificate and there are
> at least two issues now (disclaimer: I know nothing about ssl):
>
> * With old openssl (< 1.00) the user is out of luck because apache.org
> apparently requires working SNI support in the client library.
> Otherwise the apache server presents an openoffice.org certificate:
>
> $ perl5.20.2 -MIO::Socket::SSL -MLWP::UserAgent -E
> '$IO::Socket::SSL::DEBUG=4; say LWP::UserAgent->new-
> ...
> DEBUG: .../IO/Socket/SSL.pm:608: not using SNI because openssl is too
> old
> ...
> DEBUG: .../IO/Socket/SSL.pm:1580: identity=www.apache.org
> cn=*.openoffice.org alt=2 *.openoffice.org 2 openoffice.org
> DEBUG: .../IO/Socket/SSL.pm:1780: hostname verification failed
>
> * With new openssl (>= 1.00) but with newest Mozilla::CA the user is
> also out of luck and gets an "500 Can't connect to www.apache.org:443
> (certificate verify failed)" error.
>
> * With new openssl but the older Mozilla-CA-20130114 things are
> working.
>
> For the Mozilla::CA controversy see
https://github.com/gisle/mozilla-
> ca/pull/5
>
> For solving the SNI stuff --- don't know; probably the user needs some
> Alien::OpenSSL solution if he cannot upgrade the system openssl.
I'm running into this issue on CentOS 6.5 with Perl 5.21.11 installed with perlbrew.
I can't speak to the issue with openssl < 1.0, however, it seems that the certificate that is being queried against at www.apache.org has changed, specifically what I think is telling is this line:
# SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /opt/perlbrew/perls/perl-5.21.11/lib/site_perl/5.21.11/LWP/Protocol/http.pm line 47.
# '
# doesn't match '(?^:Apache Software Foundation)'
Looking at the cert, we can see the organization is still "Apache Software Foundation" though:
# openssl s_client -showcerts -connect www.apache.org:443 CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = Maryland, L = Forest Hill, O = Apache Software Foundation, CN = *.openoffice.org
verify return:1
< snip certificates >
---
Server certificate
subject=/C=US/ST=Maryland/L=Forest Hill/O=Apache Software Foundation/CN=*.openoffice.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
Furthermore browsing the site in Chrome from my windows workstation presents a "*.apache.org" certificate and Chrome presents the warning "this site is using outdated security settings that may prevent chrome from being able to safely access it"
Finally, looking at the line presenting the error:
/opt/perlbrew/perls/perl-5.21.11/lib/site_perl/5.21.11/LWP/Protocol/http.pm: 47
unless ($sock) {
# IO::Socket::INET leaves additional error messages in $@
my $status = "Can't connect to $host:$port";
if ($@ =~ /\bconnect: (.*)/ ||
$@ =~ /\b(Bad hostname)\b/ ||
$@ =~ /\b(certificate verify failed)\b/ ||
$@ =~ /\b(Crypt-SSLeay can't verify hostnames)\b/
) {
$status .= " ($1)";
}
die "$status\n\n$@"; # line 47
}
It seems to me like IO::Socket::INET is the library that's actually throwing the error.
What I find interesting is I just went through this process on the VMware vMA (SuseEnterprise 11) and did not run into this issue trying to install Crypt::SSLeay, (I broke the vMA trying to install a current Perl so I tore that environment down. I'd be willing to stand up another vMA and try again).
Forcing the install of LWP::protocol::https allowed me to install Crypt::SSLeay, so far everything is working as expected.
