Skip Menu |

This queue is for tickets about the perl-ldap CPAN distribution.

Report information
The Basics
Id: 70795
Status: resolved
Priority: 0/
Queue: perl-ldap
People
Owner: Nobody in particular
Requestors: bgp4 [...] yandex.ru
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: (no value)
Fixed in: 0.44

History Show all quoted text
  Wed Sep 07 14:56:02 2011 https://id.rambler.ru/users/bgp4 - Ticket created
Subject: server SSL certificate verify broken when start_tls is used
Net::LDAP can't verify server certificate if start_ssl is used. Test case: use Net::LDAP; use IO::Socket::SSL; my $ldap = Net::LDAP->new('ldap.example.ru'); my $mesg = $ldap->start_tls(verify => 'require', cafile => '/etc/ssl/ca.pem'); die $mesg->error if $mesg->code; dies with message: Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0) at ./test_ldap.pl line 14, <DATA> line 522. ---- OS: FreeBSD p5-perl-ldap-0.4300 perl v5.10.1 ---- patch to fix this bug is attached. from IO::Socket::SSL doc: SSL_verifycn_name Set the name which is used in verification of hostname. If SSL_verifycn_scheme is set and no SSL_verifycn_name is given it will try to use the PeerHost and PeerAddr settings and fail if no name caan be determined. Using PeerHost or PeerAddr works only if you create the connection directly with IO::Socket::SSL->new, if an IO::Socket::INET object is upgraded with start_SSL the name has to be given in SSL_verifycn_name.
Subject: patch-Net-LDAP.pm
--- Net/LDAP.pm.orig 2011-09-07 22:51:44.000000000 +0400 +++ Net/LDAP.pm 2011-09-07 22:53:19.000000000 +0400 @@ -1035,7 +1035,10 @@ my $sock_class = ref($sock); return $mesg - if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)}); + if IO::Socket::SSL->start_SSL($sock, { + SSL_verifycn_name => $ldap->{net_ldap_host} + _SSL_context_init_args($arg) + }); my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
  Mon Sep 19 04:54:10 2011 nine [...] detonation.org - Correspondence added
The "Cannot determine peer hostname for verification" message comes even if verify is set to 'none'. The supplied patch does have some syntax errors but once they are fixed it fixes the problem for me. Attaching a fixed patch.
Subject: patch-Net-LDAP.pm
--- Net/LDAP.pm.orig 2011-09-07 22:51:44.000000000 +0400 +++ Net/LDAP.pm 2011-09-07 22:53:19.000000000 +0400 @@ -1035,7 +1035,10 @@ my $sock_class = ref($sock); return $mesg - if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)}); + if IO::Socket::SSL->start_SSL($sock, { + SSL_verifycn_name => $ldap->{net_ldap_host}, + _SSL_context_init_args($arg), + }); my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
  Mon Sep 19 04:54:12 2011 The RT System itself - Status changed from 'new' to 'open'
  Mon Oct 31 06:58:19 2011 chisel [...] chizography.net - Correspondence added
On Mon Sep 19 09:54:10 2011, NINE wrote: Show quoted text
> The "Cannot determine peer hostname for verification" message comes even > if verify is set to 'none'. The supplied patch does have some syntax > errors but once they are fixed it fixes the problem for me. > > Attaching a fixed patch.
We recently upgraded and encountered the same problem (here at Net-A-Porter). Independently we came up with the same solution to the issues (although written slightly differently). It would be really helpful to have a new release of the module to save us distropref-patching our modules.
  Sun Jan 29 14:28:27 2012 MARSCHAP [...] cpan.org - Correspondence added
RT-Send-CC: nine [...] detonation.org
On Mon Oct 31 06:58:19 2011, CHISEL wrote: Show quoted text
> On Mon Sep 19 09:54:10 2011, NINE wrote:
> > The "Cannot determine peer hostname for verification" message comes
even Show quoted text
> > if verify is set to 'none'. The supplied patch does have some syntax > > errors but once they are fixed it fixes the problem for me. > > > > Attaching a fixed patch.
> > We recently upgraded and encountered the same problem (here at > Net-A-Porter). > Independently we came up with the same solution to the issues
(although Show quoted text
> written slightly differently). > > It would be really helpful to have a new release of the module to save > us distropref-patching our modules.
Now that v0.44 has been released with changes in that region, can you give it a try, test whether it fixes the issue and report back? Thanks Peter
  Tue Jan 31 02:06:10 2012 nine [...] detonation.org - Correspondence added
I can confirm that the issue went away for me. Thank you very much :)
  Thu Feb 09 10:17:14 2012 MARSCHAP [...] cpan.org - Correspondence added
Hi, On Tue Jan 31 02:06:10 2012, NINE wrote: Show quoted text
> I can confirm that the issue went away for me. Thank you very much :)
Marking the bug as "resolved". Thanks Peter
  Thu Feb 09 10:17:16 2012 MARSCHAP [...] cpan.org - Status changed from 'open' to 'resolved'
  Thu Feb 09 10:17:38 2012 MARSCHAP [...] cpan.org - Fixed in 0.44 added