Skip Menu |

This queue is for tickets about the Net-FTPSSL CPAN distribution.

Report information
The Basics
Id: 44042
Status: resolved
Priority: 0/
Queue: Net-FTPSSL
People
Owner: Nobody in particular
Requestors: tj [...] castaglia.org
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: 0.08

History Show all quoted text
  Wed Mar 11 14:04:46 2009 tj [...] castaglia.org - Ticket created
Subject: Net-FTPSSL enhancements
Date: Wed, 11 Mar 2009 10:58:11 -0800 (PST)
To: <bug-Net-FTPSSL [...] rt.cpan.org>
From: TJ Saunders <tj [...] castaglia.org>
Hello, sir. I'm currently using the Net-FTPSSL package for running some FTPS tests in the proftpd test case. To help exercise many of the code paths in proftpd's mod_tls, I needed a way to specify many of the IO::Socket::SSL options, e.g. I needed to configure a Net::FTPSSL object to use a client cert, to reuse SSL sessions, etc. To do this, using the Net-FTPSSL-0.07 version, I had to make the following change in the new() subroutine in FTPSSL.pm: my $obj = $type->start_SSL( $socket, SSL_version => $mode ) or return _croak_or_return( $socket, undef, "$mode: " . IO::Socket::SSL::errstr () ); To be: unless ( defined($arg{SSL_version}) ) { $arg{SSL_version} = $use_ssl ? 'SSLv23' : 'TLSv1'; } my $obj = $type->start_SSL( $socket, %arg ) or return _croak_or_return( $socket, undef, IO::Socket::SSL::errstr () ); Note that this change also makes the 'useSSL' constructor option unnecessary; the caller can simply set 'SSL_version' IO::Socket::SSL option in arg. But that's a minor thing. With this change, I can now do: my $client = Net::FTPSSL->new($server, Port => $port, Encryption => 'E', # IO::Socket::SSL options SSL_version => 'TLSv1', SSL_use_cert => 1, SSL_cert_file => $client_cert, SSL_key_file => $client_key, SSL_verify_mode => 0x01, SSL_reuse_ctx => $prev_client, ); Also, in the Makefile.PL, the author is still listed as Marcos Dalla Stella. Cheers, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Only those who will risk going too far can possibly find out how far one can go. -T.S. Eliot ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Wed Mar 11 18:39:38 2009 CLEACH [...] cpan.org - Correspondence added
Hi TJ, Sounds like you are planning to get real ambitious with this module. I'll have to think a bit on how I'd want to implement such a feature in the base code to avoid support nightmare. :-) I'm planning to release v0.08 shortly to fix a few minor issues with v0.07, the other 2 tickets, and some misc enhancements. I'll see if I have time to include this as well. But no promises at this point since it looks like you've implemented your own work around. My 1st thought is to add a new "SSL_Advanced => \%ssl_opts" which will cause all your requested options to be added to the start_SSL() call and say use at your own risk. Totally unsupported. See IO::Socket::SSL for available tags. And if the other options for FTPSSL conflict with what you provided, this hash will override them. Any options added by FTPSSL to your list will cause your hash reference to be updated so that you can dump your hash to assist in debuging things yoursef. ( I have yet to figure out how to force IO:Socket::SSL to turn on it's debugging levels to allow a trace. Setting $IO::Socket::SSL::DEBUG = 2; doesn't seem to work. ) Does this sound like it would meet your needs? Or do you have other suggestions? I'm trying to keep the usage of this class as simple as possible while making it usefull to people like yourself as well. I don't see FTPSSL supporting every conceivable SSL option without the user customizing things a bit for themselves. But I see no harm in providing hooks. Curtis
  Wed Mar 11 18:39:39 2009 The RT System itself - Status changed from 'new' to 'open'
  Wed Mar 11 18:52:57 2009 tj [...] castaglia.org - Correspondence added
Subject: Re: [rt.cpan.org #44042] Net-FTPSSL enhancements
Date: Wed, 11 Mar 2009 15:46:54 -0800 (PST)
To: Curtis Leach via RT <bug-Net-FTPSSL [...] rt.cpan.org>
From: TJ Saunders <tj [...] castaglia.org>
Show quoted text
> My 1st thought is to add a new "SSL_Advanced => \%ssl_opts" which will > cause all your requested options to be added to the start_SSL() call > and say use at your own risk. Totally unsupported. See > IO::Socket::SSL for available tags. And if the other options for > FTPSSL conflict with what you provided, this hash will override them. > Any options added by FTPSSL to your list will cause your hash > reference to be updated so that you can dump your hash to assist in > debuging things yoursef.
That would work well for me; I simply need a way to set some of the more esoteric IO::Socket::SSL options in the start_SSL() call. By the time the Net::FTPSSL constructor has returned the blessed object, it's too late to change those parameters. Show quoted text
> ( I have yet to figure out how to force IO:Socket::SSL to turn on it's > debugging levels to allow a trace. Setting $IO::Socket::SSL::DEBUG = > 2; doesn't seem to work. )
Looks like $IO::Socket::SSL::DEBUG is only honored when IO::Socket::SSL is imported (via use or require); IO::Socket::SSL aliases this to $Net::SSLeay::trace (same numeric values 0-4), so maybe having Net::FTPSSL change/set $Net::SSLeay::trace directly when Trace is enabled would work? Show quoted text
> Does this sound like it would meet your needs? Or do you have other > suggestions?
Just this one for now, as it gets me most of what I need; I may encounter others as I implement more and more unit tests for proftpd's mod_tls module. Cheers, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Music, the greatest good that mortals know, And all of heaven we have below. -Joseph Addison ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Wed Mar 11 19:18:29 2009 CLEACH [...] cpan.org - Correspondence added
OK, We have a plan simple enough that I probably can get it into v0.08 when it comes out. (Hopefully sometime this month.) Show quoted text
> > ( I have yet to figure out how to force IO:Socket::SSL to turn on
> it's
> > debugging levels to allow a trace. Setting $IO::Socket::SSL::DEBUG
> =
> > 2; doesn't seem to work. )
> > Looks like $IO::Socket::SSL::DEBUG is only honored when > IO::Socket::SSL is > imported (via use or require); IO::Socket::SSL aliases this to > $Net::SSLeay::trace (same numeric values 0-4), so maybe having > Net::FTPSSL > change/set $Net::SSLeay::trace directly when Trace is enabled would > work? >
Drat, I had already tried the $Net::SSLeay::trace route as well. It hadn't seemed worked either. I would have loved adding the tracing of start_SSL() when Debug was used but I have no time to figure out how to do it. If you do figure it out during your tests, please let me know. It would be very usefull to have in tracking down future problems.
  Wed Mar 11 23:16:13 2009 tj [...] castaglia.org - Correspondence added
Subject: Re: [rt.cpan.org #44042] Net-FTPSSL enhancements
Date: Wed, 11 Mar 2009 20:10:15 -0800 (PST)
To: Curtis Leach via RT <bug-Net-FTPSSL [...] rt.cpan.org>
From: TJ Saunders <tj [...] castaglia.org>
Show quoted text
> Drat, I had already tried the $Net::SSLeay::trace route as well. It > hadn't seemed worked either. I would have loved adding the tracing of > start_SSL() when Debug was used but I have no time to figure out how > to do it. > > If you do figure it out during your tests, please let me know. It > would be very usefull to have in tracking down future problems.
From what I've seen so far, it looks like Net::SSLeay isn't really instrumented to use $Net::SSLeay::trace all that much. It is honored in many of the utility subroutines (sslcat et al) provided by Net::SSLeay; but Net::FTPSSL doesn't use those subroutines. For that level of SSL tracing using OpenSSL, I've had to use the OpenSSL SSL_CTX_set_info_callback(3) and SSL_CTX_set_msg_callback(3) API directly, and Net::SSLeay does not use these callbacks. I can say that setting $Net::SSLeay::trace directly in my calling code DOES have some effect, just not as much as might be desired for debugging the SSL handshake. For example, before calling one of the FTP data transfer methods, setting $Net::SSLeay::trace to 3 or higher does show the actual unencrypted data that was transferred, even if the data transfer was protected. Cheers, TJ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nothing ever becomes real till it is experienced -- even a proverb is no proverb to you till your life has illustrated it. -John Keats ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  Mon Mar 23 18:06:34 2009 CLEACH [...] cpan.org - Correspondence added
Enjoy, I’ve implemented the requested "SSL_Advanced => \%ssl_opts" feature, but I ran out of time trying to make the IO::Socket::SSL trace work. Please remember you are on your own with this option.
  Mon Mar 23 18:07:22 2009 CLEACH [...] cpan.org - Status changed from 'open' to 'resolved'
  Mon Mar 23 18:07:22 2009 CLEACH [...] cpan.org - Fixed in 0.08 added
  Mon Mar 23 18:07:22 2009 CLEACH [...] cpan.org - Severity Wishlist added