Bug #74159 for IO-Socket-SSL: "Cannot determine peer hostname for verification"

Thu Jan 19 10:56:08 2012 AHARRISON [...] cpan.org - Ticket created

Subject:

"Cannot determine peer hostname for verification"

I'm still getting these errors with the latest version of IO::Socket::SSL when using it with Net::LDAP and start_tls. Here's a Data::Dump of the plain Net::LDAP object after the start_tls: (I altered the actual hostnames seen here) "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)"do { require Symbol; my $a = bless({ callback => undef, controls => undef, ctrl_hash => undef, errorMessage => "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)", matchedDN => "", mesgid => 1, parent => bless({ net_ldap_async => 0, net_ldap_debug => 0, net_ldap_host => "ldap-server.example.com", net_ldap_mesg => {}, net_ldap_port => 389, net_ldap_refcnt => 1, net_ldap_resp => {}, net_ldap_scheme => "ldap", net_ldap_socket => bless(Symbol::gensym(), "IO::Socket::INET"), net_ldap_uri => "ldap-server.example.com:389", net_ldap_version => 3, }, "Net::LDAP"), raw => undef, resultCode => 1, }, "Net::LDAP::Extension"); *{$a->{parent}{net_ldap_socket}} = { _SSL_last_err => "Cannot determine peer hostname for verificationerror:00000000:lib(0):func(0):reason(0)", io_socket_domain => 2, io_socket_proto => 6, io_socket_timeout => 120, io_socket_type => 1, }; $a; Here's the code to I tested with: #!/mc/apps/perl/current/bin/perl use Data::Dump; use Net::LDAP; my $ldap = Net::LDAP->new( 'ldap-server.example.com:389' ); my $mesg = $ldap->start_tls( verify => 'require', capath => '/usr/local/etc/openldap/certs' ); print Data::Dump::dump($mesg); I'm using Net::LDAP 0.43. One-by-one I kept back reving IO::Socket::SSL finally settling on 1.13 which worked. My Net::SSLeay versions tried were between 1.36 and 1.42. My perl version is 5.14.2, which I compiled with perlbrew. (Details attached so as not to clutter this ticket any more than I have...). Operating system doesn't seem to matter, I get the same problem on an old CentOS 5.2 server as well as my opensuse 12.1 desktop. I also get the same problem whether I use one of my custom perlbrew builds or the stock os perl installation. The certificate used by my openldap server is a self signed wildcard cert (*.example.com). The issuers of both the server and client certs are exactly identical. In the client cert, the subject and issuer fields are identical. In the server cert, subject differs in that the CN attribute is *.example.com. Certificate details: # openssl x509 -noout -in /path/to/wildcard-LDAP.crt -subject -issuer subject= /C=US/ST=New Hampshire/L=Fake/O=Department/CN=*.example.com issuer= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net # openssl x509 -noout -in /path/to/client-LDAP.crt -subject -issuer subject= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net issuer= /C=US/ST=New Hampshire/L=Fake/O=Department/OU=Certificate Authority/CN=example.com/emailAddress=user@example.net (I was careful in falsifying the information so as to preserve the differences, like with the .com vs. .net tld related to the email address, just in case that matters.)

Subject:

perlbrew-details.txt

The details of my perl build: ------------------------------- Summary of my perl5 (revision 5 version 14 subversion 2) configuration: Platform: osname=linux, osvers=2.6.18-92.1.6.el5, archname=x86_64-linux-thread-multi uname='linux maple 2.6.18-92.1.6.el5 #1 smp wed jun 25 13:45:47 edt 2008 x86_64 x86_64 x86_64 gnulinux ' config_args='-de -Dprefix=/mc/apps/perl/current/perls/perl-5.14.2 -Dusethreads -Dnoextensions=ODB_File -Adefine:installscript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:installsitescript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:scriptdir=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:scriptdirexp=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:sitescript=/mc/apps/perl/current/perls/perl-5.14.2/bin -Adefine:sitescriptexp=/mc/apps/perl/current/perls/perl-5.14.2/bin' hint=recommended, useposix=true, d_sigaction=define useithreads=define, usemultiplicity=define useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='', gccversion='4.1.2 20071124 (Red Hat 4.1.2-42)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64 /usr/local/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.5.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.5' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector' Characteristics of this binary (from libperl): Compile-time options: MULTIPLICITY PERL_DONT_CREATE_GVSV PERL_IMPLICIT_CONTEXT PERL_MALLOC_WRAP PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT USE_ITHREADS USE_LARGE_FILES USE_PERLIO USE_PERL_ATOF USE_REENTRANT_API Built under linux Compiled at Dec 27 2011 21:22:34 %ENV: PERLBREW_HOME="/root/.perlbrew" PERLBREW_PATH="/mc/apps/perl/current/bin:/mc/apps/perl/current/perls/perl-5.14.2/bin" PERLBREW_PERL="perl-5.14.2" PERLBREW_ROOT="/mc/apps/perl/current" PERLBREW_VERSION="0.27" PERL_CPANM_OPT="--mirror http://mirror.metrocast.net/cpan/" @INC: /mc/apps/perl/current/perls/perl-5.14.2/lib/site_perl/5.14.2/x86_64-linux-thread-multi /mc/apps/perl/current/perls/perl-5.14.2/lib/site_perl/5.14.2 /mc/apps/perl/current/perls/perl-5.14.2/lib/5.14.2/x86_64-linux-thread-multi /mc/apps/perl/current/perls/perl-5.14.2/lib/5.14.2

Thu Jan 19 12:19:13 2012 Steffen_Ullrich [...] genua.de - Correspondence added

from what I see Net::LDAP does the following, in case you first do a ldap connect and the upgrade to TLS: - you call Net::LDAP->new(host) - new calls connect_ldap - connect_ldap creates IO::Socket::INET object which then connects to the server and stores the socket as net_ldap_socket, the hostname gets stored in net_ldap_host - then you call $ldap->start_tls(..) - this calls IO::Socket::SSL::start_SSL with various parameters, but NOT with the hostname of the server - IO::Socket::SSL tries to get hostname from the IO::Socket::INET object (PeerAddr) and fails and has thus no way to verify the hostname The reason this fails since 1.14 is, that 1.14 introduced the hostname checking: | - added support for verification of hostname from certificate | .. Since I don't have any ldap server for testing I can only suggest the attached diff to LDAP.pm, maybe it works. If yes, please forward it to the Net::LDAP maintainer. Regards, Steffen

Subject:

LDAP.pm.diff

--- LDAP.pm.orig 2012-01-19 18:08:05.697495225 +0100 +++ LDAP.pm 2012-01-19 18:10:58.333489820 +0100 @@ -1035,7 +1035,10 @@ my $sock_class = ref($sock); return $mesg - if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)}); + if IO::Socket::SSL->start_SSL($sock, { + _SSL_context_init_args($arg), + SSL_verifycn_name => $ldap->{net_ldap_host}, + }); my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning

Thu Jan 19 12:19:14 2012 The RT System itself - Status changed from 'new' to 'open'

Thu Jan 19 12:19:14 2012 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'

Thu Jan 19 17:16:36 2012 AHARRISON [...] cpan.org - Correspondence added

Thanks Steffen. That fix didn't quite do the trick, but it definitely got me barking up the right tree. I found this patch from a few months ago by Peter Marschall to Net::LDAP that gets things working perfectly. Posting it here for anyone else who might come looking for answers. https://github.com/gbarr/perl- ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803

Thu Jan 19 17:16:37 2012 The RT System itself - Status changed from 'resolved' to 'open'

Thu Jan 19 17:20:49 2012 AHARRISON [...] cpan.org - Correspondence added

Reference to Net::LDAP patch documented.

Thu Jan 19 17:20:51 2012 AHARRISON [...] cpan.org - Status changed from 'open' to 'resolved'

Fri Jan 20 01:56:41 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Show quoted text

> > https://github.com/gbarr/perl- > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803

it's not the repository of gbarr, but marschap. The correct URL is: https://github.com/marschap/perl-ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803

Fri Jan 20 01:56:42 2012 The RT System itself - Status changed from 'resolved' to 'open'

Sun Jan 22 23:05:55 2012 AHARRISON [...] cpan.org - Correspondence added

On Fri Jan 20 01:56:41 2012, SULLR wrote: Show quoted text

>

> > > > https://github.com/gbarr/perl- > > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803

> > it's not the repository of gbarr, but marschap. > The correct URL is: > https://github.com/marschap/perl- > ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803

As you can see, the url's reference the same commit. Regardless, Graham already pulled the change into his 'next' branch and fixed the typo in Peter's commit, so the gbarr url is the appropriate repository.

Mon Jan 30 08:02:35 2012 Steffen_Ullrich [...] genua.de - Correspondence added

Bug rejected, because not caused by IO::Socket::SSL

Mon Jan 30 08:02:36 2012 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'rejected'