Skip Menu |

This queue is for tickets about the Event-RPC CPAN distribution.

Report information
The Basics
Id: 106874
Status: resolved
Priority: 0/
Queue: Event-RPC
People
Owner: JRED [...] cpan.org
Requestors: ppisar [...] redhat.com
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 1.05
Fixed in: (no value)

History Show all quoted text
  Fri Sep 04 11:33:35 2015 ppisar [...] redhat.com - Ticket created
Subject: t/04.cnct-auth-ssl-verifypeer-wrongca.t hangs with IO-Socket-SSL >= 2.0.18
When upgrading IO::Socket::SSL from 2.0.16 to 2.0.18 or newer, t/04.cnct-auth-ssl-verifypeer-wrongca.t test hangs: $ prove -b -v t/04.cnct-auth-ssl-verifypeer-wrongca.t t/04.cnct-auth-ssl-verifypeer-wrongca.t .. 1..5 ok 1 - use Event::RPC::Client; ok 2 - ssl connection failed with wrong ca Can't open SSL connection to localhost:27832: hostname verification failed at t/04.cnct-auth-ssl-verifypeer-wrongca.t line 54. # Looks like you planned 5 tests but ran 2. # Looks like your test exited with 255 just after 2. ^C With older IO::Socket::SSL, the output is: $ prove -b -v t/04.cnct-auth-ssl-verifypeer-wrongca.t t/04.cnct-auth-ssl-verifypeer-wrongca.t .. 1..5 ok 1 - use Event::RPC::Client; ok 2 - ssl connection failed with wrong ca The verification of cert '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/C=DE/ST=Irgendwo/L=Koeln/O=exit1.org/OU=Software Development/CN=J\xF6rn Reder/emailAddress=joern@zyn.de' failed against the host 'localhost' with the default verification scheme. THIS MIGHT BE A MAN-IN-THE-MIDDLE ATTACK !!!! To stop this warning you might need to set SSL_verifycn_name to the name of the host you expect in the certificate. ok 3 - connect without ssl ok 4 - client disconnected ok 5 - server stopped ok All tests successful. Files=1, Tests=5, 0 wallclock secs ( 0.04 usr 0.01 sys + 0.22 cusr 0.07 csys = 0.34 CPU) Result: PASS I think something changes in IO::Socket::SSL, so it's not compatible with the Evetn-RPC test suite now. See <http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-2.018/Changes>. -- Petr
  Sat Sep 05 11:39:13 2015 JRED [...] cpan.org - Correspondence added
Thanks for your bug report. I can reproduce this issue. I think the problem is the SSL certificate of the test suite. Obviously localhost doesn't match to its common name and IO::Socket::SSL is more strict on the verification process now (which is good) so it complains about this mismatch. I'll fix that by providing a proper certificate.
  Sat Sep 05 11:39:13 2015 The RT System itself - Status changed from 'new' to 'open'
  Mon Sep 07 09:19:29 2015 ppisar [...] redhat.com - Correspondence added
From: ppisar [...] redhat.com
Dne So 05.zář.2015 11:39:13, JRED napsal(a): Show quoted text
> Thanks for your bug report. I can reproduce this issue. > > I think the problem is the SSL certificate of the test suite. > Obviously localhost doesn't match to its common name and > IO::Socket::SSL is more strict on the verification process now (which > is good) so it complains about this mismatch. > > I'll fix that by providing a proper certificate.
If you haven't done it yet, here is my patch that does it. -- Petr
Subject: Event-RPC-1.05-New-server-certificate-with-localhost-dnsName.patch

Message body is not shown because it is too large.

  Sun Sep 20 06:12:04 2015 JRED [...] cpan.org - Correspondence added
Unfortunately I oversaw your answer here, sorry, but just pushed a new release 1.06 to CPAN which fixes this issue. Either by providing proper certificates. And it adds the 'ssl_opts' attribute to give more control to the developer about the SSL connection, e.g. to provide a different cn or configure the verification theme (which was hardened in IO::Socket::SSL 2.017). As well a test which verifies the proper function with IO::Socket::SSL >= and < 2.017. Thanks!
  Sun Sep 20 06:12:15 2015 JRED [...] cpan.org - Status changed from 'open' to 'resolved'
  Sun Sep 20 06:12:18 2015 JRED [...] cpan.org - Taken