Skip Menu |

This queue is for tickets about the Net-FTPSSL CPAN distribution.

Report information
The Basics
Id: 123338
Status: resolved
Priority: 0/
Queue: Net-FTPSSL
People
Owner: Nobody in particular
Requestors: bsautter33 [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in:
  • 0.35
  • 0.36
  • 0.37
  • 0.38
Fixed in: 0.39
Attachments
Net-FTPSSL-0.39.tar.gz

History Show all quoted text
  Fri Oct 20 14:46:32 2017 bsautter33 [...] gmail.com - Ticket created
Subject: TLS 1.0 Deprecation Compatibility
Date: Fri, 20 Oct 2017 12:46:21 -0600
To: bug-net-ftpssl [...] rt.cpan.org
From: Benjamin Sautter <bsautter33 [...] gmail.com>
Hello, I have discovered an issue of compatibility, generically with FTP servers that actively block TLS 1.0, and specifically with PureFTP v1.0.45 where it states: "TLS v1.0 sessions are now refused." https://www.pureftpd.org/project/pure-ftpd/news Everyone is trying to move to TLS v1.1+ due to the security problems of 1.0. However when interacting with such a server, the behavior of the module is that it fails with $! = "Connection reset by peer". See a code sample and censored debug output below. This issue is present both on the latest 0.38 and on 0.35 which I was using. I believe the cause to be on line 395 in Net::FTPSSL.pm: my $mode = $use_ssl ? "SSLv23" : "TLSv1"; This explicitly sets a variable later used in a request for IO-Socket-SSL to use v1, even if v1.1 and v1.2 are available. With no compatible protocol between server and client, the remote server refuses the handshake. I tested a simple fix of changing that variable to "TLSv12" instead and the connection succeeded. Perhaps an update could be made to allow the choice of TLS version. Thanks. ======================================== # (the host was over IPv4) use IO::Socket::SSL qw(debug4); use Net::FTPSSL; IO::Socket::SSL::set_defaults('SSL_verify_mode',SSL_VERIFY_NONE); my $ftp = Net::FTPSSL->new($host, Debug => 1, Port => $port) or die "Couldn't connect to URL: $!"; ======================================== Net-FTPSSL Version: 0.35 IO-Socket-INET Version: 1.31 IO-Socket-SSL Version: 2.040 No IPv6 support available. Missing required modules! Perl: 5.012002 [5.12.2], OS: linux ***** IPv6 not yet supported in Net::FTPSSL! ***** SKT >>> AUTH TLS SKT <<< 234 AUTH TLS OK. DEBUG: .../IO/Socket/SSL.pm:2773: new ctx 15545280 DEBUG: .../IO/Socket/SSL.pm:1473: start handshake DEBUG: .../IO/Socket/SSL.pm:654: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:687: using SNI with hostname ******** DEBUG: .../IO/Socket/SSL.pm:743: set socket to non-blocking to enforce timeout=120 DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:769: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:779: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:799: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:762: local error: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:765: fatal SSL error: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:2795: free ctx 15545280 open=15545280 DEBUG: .../IO/Socket/SSL.pm:2807: OK free ctx 15545280 Couldn't connect to URL: Connection reset by peer

Message body is not shown because it is too large.

  Fri Oct 20 18:28:57 2017 CLEACH [...] cpan.org - Correspondence added
Thank you for using my module. I'll take a look at it and hopefully get a patch out early next week. In the mean time can you try adding to your call to new(): SSL_version => "TLSv12" That should work without the need to hack the code base until the new release is available. Curtis On Fri Oct 20 14:46:32 2017, bsautter33@gmail.com wrote: Show quoted text
> Hello, > > I have discovered an issue of compatibility, generically with FTP servers > that actively block TLS 1.0, and specifically with PureFTP v1.0.45 where it > states: > > "TLS v1.0 sessions are now refused." > https://www.pureftpd.org/project/pure-ftpd/news > > Everyone is trying to move to TLS v1.1+ due to the security problems of > 1.0. However when interacting with such a server, the behavior of the > module is that it fails with $! = "Connection reset by peer". See a code > sample and censored debug output below. > > This issue is present both on the latest 0.38 and on 0.35 which I was using. > I believe the cause to be on line 395 in Net::FTPSSL.pm: > > my $mode = $use_ssl ? "SSLv23" : "TLSv1"; > > This explicitly sets a variable later used in a request for IO-Socket-SSL > to use v1, even if v1.1 and v1.2 are available. With no compatible protocol > between server and client, the remote server refuses the handshake. > > I tested a simple fix of changing that variable to "TLSv12" instead and the > connection succeeded. Perhaps an update could be made to allow the choice > of TLS version. > > Thanks. > > > ======================================== > # (the host was over IPv4) > use IO::Socket::SSL qw(debug4); > use Net::FTPSSL; > IO::Socket::SSL::set_defaults('SSL_verify_mode',SSL_VERIFY_NONE); > my $ftp = Net::FTPSSL->new($host, Debug => 1, Port => $port) or die > "Couldn't connect to URL: $!"; > ======================================== > Net-FTPSSL Version: 0.35 > IO-Socket-INET Version: 1.31 > IO-Socket-SSL Version: 2.040 > No IPv6 support available. Missing required modules! > Perl: 5.012002 [5.12.2], OS: linux > ***** IPv6 not yet supported in Net::FTPSSL! ***** > SKT >>> AUTH TLS > SKT <<< 234 AUTH TLS OK. > DEBUG: .../IO/Socket/SSL.pm:2773: new ctx 15545280 > DEBUG: .../IO/Socket/SSL.pm:1473: start handshake > DEBUG: .../IO/Socket/SSL.pm:654: ssl handshake not started > DEBUG: .../IO/Socket/SSL.pm:687: using SNI with hostname ******** > DEBUG: .../IO/Socket/SSL.pm:743: set socket to non-blocking to enforce > timeout=120 > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:769: ssl handshake in progress > DEBUG: .../IO/Socket/SSL.pm:779: waiting for fd to become ready: SSL wants > a read first > DEBUG: .../IO/Socket/SSL.pm:799: socket ready, retrying connect > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > DEBUG: .../IO/Socket/SSL.pm:762: local error: SSL connect attempt failed > DEBUG: .../IO/Socket/SSL.pm:765: fatal SSL error: SSL connect attempt failed > DEBUG: .../IO/Socket/SSL.pm:2795: free ctx 15545280 open=15545280 > DEBUG: .../IO/Socket/SSL.pm:2807: OK free ctx 15545280 > Couldn't connect to URL: Connection reset by peer
  Fri Oct 20 18:28:57 2017 The RT System itself - Status changed from 'new' to 'open'
  Fri Oct 20 18:39:10 2017 CLEACH [...] cpan.org - Broken in 0.35 added
  Fri Oct 20 18:39:11 2017 CLEACH [...] cpan.org - Broken in 0.36 added
  Fri Oct 20 18:39:11 2017 CLEACH [...] cpan.org - Broken in 0.37 added
  Fri Oct 20 18:39:11 2017 CLEACH [...] cpan.org - Broken in 0.38 added
  Fri Oct 20 18:39:11 2017 CLEACH [...] cpan.org - Severity Normal added
  Mon Oct 23 23:15:25 2017 CLEACH [...] cpan.org - Correspondence added
Here's a beta with your suggested fix. Let me know if it meets your needs. If it does I'll make the release official. Curtis On Fri Oct 20 18:28:57 2017, CLEACH wrote: Show quoted text
> Thank you for using my module. I'll take a look at it and hopefully > get a patch out early next week. > > In the mean time can you try adding to your call to new(): > SSL_version => "TLSv12" > > That should work without the need to hack the code base until the new > release is available. > > Curtis > > On Fri Oct 20 14:46:32 2017, bsautter33@gmail.com wrote:
> > Hello, > > > > I have discovered an issue of compatibility, generically with FTP > > servers > > that actively block TLS 1.0, and specifically with PureFTP v1.0.45 > > where it > > states: > > > > "TLS v1.0 sessions are now refused." > > https://www.pureftpd.org/project/pure-ftpd/news > > > > Everyone is trying to move to TLS v1.1+ due to the security problems > > of > > 1.0. However when interacting with such a server, the behavior of the > > module is that it fails with $! = "Connection reset by peer". See a > > code > > sample and censored debug output below. > > > > This issue is present both on the latest 0.38 and on 0.35 which I was > > using. > > I believe the cause to be on line 395 in Net::FTPSSL.pm: > > > > my $mode = $use_ssl ? "SSLv23" : "TLSv1"; > > > > This explicitly sets a variable later used in a request for IO- > > Socket-SSL > > to use v1, even if v1.1 and v1.2 are available. With no compatible > > protocol > > between server and client, the remote server refuses the handshake. > > > > I tested a simple fix of changing that variable to "TLSv12" instead > > and the > > connection succeeded. Perhaps an update could be made to allow the > > choice > > of TLS version. > > > > Thanks. > > > > > > ======================================== > > # (the host was over IPv4) > > use IO::Socket::SSL qw(debug4); > > use Net::FTPSSL; > > IO::Socket::SSL::set_defaults('SSL_verify_mode',SSL_VERIFY_NONE); > > my $ftp = Net::FTPSSL->new($host, Debug => 1, Port => $port) or die > > "Couldn't connect to URL: $!"; > > ======================================== > > Net-FTPSSL Version: 0.35 > > IO-Socket-INET Version: 1.31 > > IO-Socket-SSL Version: 2.040 > > No IPv6 support available. Missing required modules! > > Perl: 5.012002 [5.12.2], OS: linux > > ***** IPv6 not yet supported in Net::FTPSSL! ***** > > SKT >>> AUTH TLS > > SKT <<< 234 AUTH TLS OK. > > DEBUG: .../IO/Socket/SSL.pm:2773: new ctx 15545280 > > DEBUG: .../IO/Socket/SSL.pm:1473: start handshake > > DEBUG: .../IO/Socket/SSL.pm:654: ssl handshake not started > > DEBUG: .../IO/Socket/SSL.pm:687: using SNI with hostname ******** > > DEBUG: .../IO/Socket/SSL.pm:743: set socket to non-blocking to > > enforce > > timeout=120 > > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:769: ssl handshake in progress > > DEBUG: .../IO/Socket/SSL.pm:779: waiting for fd to become ready: SSL > > wants > > a read first > > DEBUG: .../IO/Socket/SSL.pm:799: socket ready, retrying connect > > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > > DEBUG: .../IO/Socket/SSL.pm:762: local error: SSL connect attempt > > failed > > DEBUG: .../IO/Socket/SSL.pm:765: fatal SSL error: SSL connect attempt > > failed > > DEBUG: .../IO/Socket/SSL.pm:2795: free ctx 15545280 open=15545280 > > DEBUG: .../IO/Socket/SSL.pm:2807: OK free ctx 15545280 > > Couldn't connect to URL: Connection reset by peer
Subject: Net-FTPSSL-0.39.tar.gz
Download Net-FTPSSL-0.39.tar.gz
application/x-gzip 105.2k

Message body not shown because it is not plain text.

  Tue Oct 24 10:31:06 2017 bsautter33 [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #123338] TLS 1.0 Deprecation Compatibility
Date: Tue, 24 Oct 2017 08:30:42 -0600
To: bug-Net-FTPSSL [...] rt.cpan.org
From: Benjamin Sautter <bsautter33 [...] gmail.com>
Works great! Thanks. On Mon, Oct 23, 2017 at 9:15 PM, Curtis Leach via RT < bug-Net-FTPSSL@rt.cpan.org> wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=123338 > > > Here's a beta with your suggested fix. > > Let me know if it meets your needs. If it does I'll make the release > official. > > Curtis > > On Fri Oct 20 18:28:57 2017, CLEACH wrote:
> > Thank you for using my module. I'll take a look at it and hopefully > > get a patch out early next week. > > > > In the mean time can you try adding to your call to new(): > > SSL_version => "TLSv12" > > > > That should work without the need to hack the code base until the new > > release is available. > > > > Curtis > > > > On Fri Oct 20 14:46:32 2017, bsautter33@gmail.com wrote:
> > > Hello, > > > > > > I have discovered an issue of compatibility, generically with FTP > > > servers > > > that actively block TLS 1.0, and specifically with PureFTP v1.0.45 > > > where it > > > states: > > > > > > "TLS v1.0 sessions are now refused." > > > https://www.pureftpd.org/project/pure-ftpd/news > > > > > > Everyone is trying to move to TLS v1.1+ due to the security problems > > > of > > > 1.0. However when interacting with such a server, the behavior of the > > > module is that it fails with $! = "Connection reset by peer". See a > > > code > > > sample and censored debug output below. > > > > > > This issue is present both on the latest 0.38 and on 0.35 which I was > > > using. > > > I believe the cause to be on line 395 in Net::FTPSSL.pm: > > > > > > my $mode = $use_ssl ? "SSLv23" : "TLSv1"; > > > > > > This explicitly sets a variable later used in a request for IO- > > > Socket-SSL > > > to use v1, even if v1.1 and v1.2 are available. With no compatible > > > protocol > > > between server and client, the remote server refuses the handshake. > > > > > > I tested a simple fix of changing that variable to "TLSv12" instead > > > and the > > > connection succeeded. Perhaps an update could be made to allow the > > > choice > > > of TLS version. > > > > > > Thanks. > > > > > > > > > ======================================== > > > # (the host was over IPv4) > > > use IO::Socket::SSL qw(debug4); > > > use Net::FTPSSL; > > > IO::Socket::SSL::set_defaults('SSL_verify_mode',SSL_VERIFY_NONE); > > > my $ftp = Net::FTPSSL->new($host, Debug => 1, Port => $port) or die > > > "Couldn't connect to URL: $!"; > > > ======================================== > > > Net-FTPSSL Version: 0.35 > > > IO-Socket-INET Version: 1.31 > > > IO-Socket-SSL Version: 2.040 > > > No IPv6 support available. Missing required modules! > > > Perl: 5.012002 [5.12.2], OS: linux > > > ***** IPv6 not yet supported in Net::FTPSSL! ***** > > > SKT >>> AUTH TLS > > > SKT <<< 234 AUTH TLS OK. > > > DEBUG: .../IO/Socket/SSL.pm:2773: new ctx 15545280 > > > DEBUG: .../IO/Socket/SSL.pm:1473: start handshake > > > DEBUG: .../IO/Socket/SSL.pm:654: ssl handshake not started > > > DEBUG: .../IO/Socket/SSL.pm:687: using SNI with hostname ******** > > > DEBUG: .../IO/Socket/SSL.pm:743: set socket to non-blocking to > > > enforce > > > timeout=120 > > > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > > > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > > > DEBUG: .../IO/Socket/SSL.pm:769: ssl handshake in progress > > > DEBUG: .../IO/Socket/SSL.pm:779: waiting for fd to become ready: SSL > > > wants > > > a read first > > > DEBUG: .../IO/Socket/SSL.pm:799: socket ready, retrying connect > > > DEBUG: .../IO/Socket/SSL.pm:756: call Net::SSLeay::connect > > > DEBUG: .../IO/Socket/SSL.pm:759: done Net::SSLeay::connect -> -1 > > > DEBUG: .../IO/Socket/SSL.pm:762: local error: SSL connect attempt > > > failed > > > DEBUG: .../IO/Socket/SSL.pm:765: fatal SSL error: SSL connect attempt > > > failed > > > DEBUG: .../IO/Socket/SSL.pm:2795: free ctx 15545280 open=15545280 > > > DEBUG: .../IO/Socket/SSL.pm:2807: OK free ctx 15545280 > > > Couldn't connect to URL: Connection reset by peer
>
  Wed Oct 25 20:57:48 2017 CLEACH [...] cpan.org - Status changed from 'open' to 'resolved'
  Wed Oct 25 20:57:49 2017 CLEACH [...] cpan.org - Fixed in 0.39 added