Bug #63743 for IO-Socket-SSL: verify_callback invoked 3 times per connection

Hi Steffen Daniel Kahn Gillmor reported an obvervation on invoking a supplied verify_callback on [1]. Do you have a comment on this? Thanks in advance, and thanks for developping IO::Socket::SSL. Bests Salvatore [1] http://bugs.debian.org/606249 ----- Forwarded message from Daniel Kahn Gillmor <dkg@fifthhorseman.net> ----- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Resent-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Reply-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 606249@bugs.debian.org X-Mailer: reportbug 4.12.6 Date: Tue, 07 Dec 2010 14:45:02 -0500 To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Bug#606249: libio-socket-ssl-perl: verify_callback invoked 3 times per connection Package: libio-socket-ssl-perl Version: 1.35-1 Severity: normal If i supply a verify_callback, i find it gets invoked three times for a single connection, if the callback is approved each time (if the callback ever fails, it looks like it shortcuts the repeated verify attempts). This is surprising to me. if it is intentional, i think it should be better-documented at least. If it is not intentional, it's possible that the bug is in Net::SSLeay, or even further down in the stack. Feel free to re-assign as you see fit. Attached is a simple test case if you want to verify for yourself. when i run it i get: 0 dkg@pip:~/tmp$ ./demoproblem.pl DEBUG: .../IO/Socket/SSL.pm:1461: new ctx 163340976 DEBUG: .../IO/Socket/SSL.pm:332: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:334: socket connected DEBUG: .../IO/Socket/SSL.pm:347: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:1453: ok=0 cert=163571568 verify called (7 ok) DEBUG: .../IO/Socket/SSL.pm:1453: ok=0 cert=163571568 verify called (7 ok) DEBUG: .../IO/Socket/SSL.pm:1453: ok=1 cert=163146456 verify called (7 ok) DEBUG: .../IO/Socket/SSL.pm:390: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:445: ssl handshake done DEBUG: .../IO/Socket/SSL.pm:1497: free ctx 163340976 open=163340976 DEBUG: .../IO/Socket/SSL.pm:1502: free ctx 163340976 callback DEBUG: .../IO/Socket/SSL.pm:1505: OK free ctx 163340976 got 8271 characters 0 dkg@pip:~/tmp$ thanks for maintaining IO::Socket::SSL in debian! --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libio-socket-ssl-perl depends on: ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay ii netbase 4.43 Basic TCP/IP networking system ii perl 5.10.1-16 Larry Wall's Practical Extraction Versions of packages libio-socket-ssl-perl recommends: ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn Versions of packages libio-socket-ssl-perl suggests: pn libio-socket-inet6-perl <none> (no description available) -- no debconf information #!/usr/bin/perl use IO::Socket::SSL 1.35 qw(debug3); use Net::SSLeay; use LWP::Simple; use warnings; use strict; # perversely reject connections 10% of the time, based on the wall clock: sub verify { my $x = (time() % 10); if ($x > 0) { printf("verify called (%d ok)\n", $x); return 1; } else { printf("verify called (%d nope)\n", $x); return 0; } } IO::Socket::SSL::set_ctx_defaults( verify_callback => sub { return verify(@_); }, verify_mode => 0x03, # this argument is irrelevant, but currently required -- see http://bugs.debian.org/606243 ca_path => '.', ); my $content = LWP::Simple::get('https://encrypted.google.com/'); if (defined($content)) { printf("got %d characters\n", length($content)); } else { printf("connection failed\n"); } Show quoted text