Bug #81710 for Email-Send-SMTP-Gmail: verify errors with Email-Send-SMTP-Gmail-0.32

Tue Dec 04 21:11:40 2012 blakesteel [...] gmail.com - Ticket created

Subject:	verify errors with Email-Send-SMTP-Gmail-0.32
Date:	Tue, 4 Dec 2012 18:11:10 -0800
To:	bug-email-send-smtp-gmail [...] rt.cpan.org
From:	blakesteel <blakesteel [...] gmail.com>

Using the synopsis example code on the Email-Send-SMTP-Gmail-0.32 site, with the values altered to point to the corrent login/password/etc values, I receive the errors pasted below: use strict; use warnings; use Email::Send::SMTP::Gmail; my $mail=Email::Send::SMTP::Gmail->new( -smtp=>'smtp.gmail.com', -login=>'whateveraddress@gmail.com', -pass=>'whatever_pass'); $mail->send(-to=>'target@xxx.com', -subject=>'Hello!', -charset=>'UTF-8' -verbose=>'1', -body=>'Just testing it', -attachments=>'full_path_to_file'); $mail->bye; perl sendgmail3.pl connecting.... ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at Gmail.pm line 36. Terminating on signal SIGINT(2) Please advise.

Wed Dec 05 03:41:56 2012 PECO [...] cpan.org - Correspondence added

On Tue Dec 04 21:11:40 2012, blakesteel@gmail.com wrote: Show quoted text

> Using the synopsis example code on the Email-Send-SMTP-Gmail-0.32 > site, > with the values altered to point to the corrent login/password/etc > values,

Show quoted text

> ******************************************************************* > Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client > is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER > together with SSL_ca_file|SSL_ca_path for verification. > If you really don't want to verify the certificate and keep the > connection open to Man-In-The-Middle attacks please set > SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. > ******************************************************************* > at Gmail.pm line 36. > Terminating on signal SIGINT(2) > > Please advise.

Hello. Thank you for yor bug reporting. Actually, this is bug of another module (NET::SMTP::SSL) that affects SMTP::Gmail :-/ I saw it's already opened (4 days ago) https://rt.cpan.org/Public/Bug/Display.html?id=81594 BTW, here you are a temporal workaround: "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the parameters, this can be made to work again, but there appears to be no path for end users to make this operational." Regards, Peco

Wed Dec 05 03:41:57 2012 The RT System itself - Status changed from 'new' to 'open'

Wed Dec 05 03:41:57 2012 PECO [...] cpan.org - Status changed from 'open' to 'stalled'

Thu Jan 24 15:51:11 2013 explorer [...] joaquinferrero.com - Correspondence added

El Mié Dic 05 03:41:56 2012, PECO escribió: Show quoted text

> BTW, here you are a temporal workaround: > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > parameters, this can be made to work again, but there appears to be no > path for end users to make this operational." >

Workaround: 1) at line 36 of Email::Send::SMTP::Gmail: if (not $self->{sender} = Net::SMTP::SSL->new( $smtp, Port => $port, Debug => $debug, SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, )) { die "Could not connect to SMTP server\n"; } 2) at line 40 of Net::SMTP: foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { $obj = $type->SUPER::new( %arg, PeerAddr => ($host = $h), PeerPort => $arg{Port} || 'smtp(25)', LocalAddr => $arg{LocalAddr}, LocalPort => $arg{LocalPort}, Proto => 'tcp', Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, ) and last; }

Thu Jan 24 15:51:12 2013 The RT System itself - Status changed from 'stalled' to 'open'

Thu Jan 24 16:14:25 2013 PECO [...] cpan.org - Correspondence added

On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote: Show quoted text

> El Mié Dic 05 03:41:56 2012, PECO escribió:

> > BTW, here you are a temporal workaround: > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > parameters, this can be made to work again, but there appears to be no > > path for end users to make this operational." > >

> > Workaround: > > 1) at line 36 of Email::Send::SMTP::Gmail: > > if (not $self->{sender} = Net::SMTP::SSL->new( > $smtp, > Port => $port, > Debug => $debug, > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > )) { > die "Could not connect to SMTP server\n"; > } > > 2) at line 40 of Net::SMTP: > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > $obj = $type->SUPER::new( > %arg, > PeerAddr => ($host = $h), > PeerPort => $arg{Port} || 'smtp(25)', > LocalAddr => $arg{LocalAddr}, > LocalPort => $arg{LocalPort}, > Proto => 'tcp', > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > ) > and last; > } >

Thank you! I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with your patch. It will be available soon on CPAN and github

Thu Jan 24 16:14:26 2013 PECO [...] cpan.org - Status changed from 'open' to 'patched'

Thu Jan 24 22:56:10 2013 blakesteel [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #81710] verify errors with Email-Send-SMTP-Gmail-0.32
Date:	Thu, 24 Jan 2013 19:55:59 -0800
To:	bug-Email-Send-SMTP-Gmail [...] rt.cpan.org
From:	blakesteel <blakesteel [...] gmail.com>

Doesn't this defeat the point of the original patch that was causing the issue? Namely, verifying the certificate is valid to prevent man-in-the-middle attacks? Please advise. On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:

> > El Mié Dic 05 03:41:56 2012, PECO escribió:

> > > BTW, here you are a temporal workaround: > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > > parameters, this can be made to work again, but there appears to be no > > > path for end users to make this operational." > > >

> > > > Workaround: > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > $smtp, > > Port => $port, > > Debug => $debug, > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > )) { > > die "Could not connect to SMTP server\n"; > > } > > > > 2) at line 40 of Net::SMTP: > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > $obj = $type->SUPER::new( > > %arg, > > PeerAddr => ($host = $h), > > PeerPort => $arg{Port} || 'smtp(25)', > > LocalAddr => $arg{LocalAddr}, > > LocalPort => $arg{LocalPort}, > > Proto => 'tcp', > > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > > ) > > and last; > > } > >

> > Thank you! > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with > your patch. It will be available soon on CPAN and github > > >

Thu Jan 24 22:56:11 2013 The RT System itself - Status changed from 'patched' to 'open'

Fri Jan 25 05:09:18 2013 PECO [...] cpan.org - Correspondence added

Yes, it does :-/ Then why did I apply the patch? 1.- The warning message about SSL_verify_mode is still showing up. Advice for the user. 2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE value), he should only focus on Net::SMTP 3.- I've created ticket on libnet (the super module that includes Net::SMTP): https://rt.cpan.org/Ticket/Display.html?id=82948&results=b61a27f0d355dee2c747886eb954df4a 4.- I've inserted a comment on the libnet Github repo to try to catch their attention. https://github.com/gbarr/perl-libnet/issues/3 Is it a final solution? Obviously not. I hope they release an updated libnet shortly. Thanks On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote: Show quoted text

> Doesn't this defeat the point of the original patch that was causing the > issue? Namely, verifying the certificate is valid to prevent > man-in-the-middle attacks? Please advise. > On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: >

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:

> > > El Mié Dic 05 03:41:56 2012, PECO escribió:

> > > > BTW, here you are a temporal workaround: > > > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > > > parameters, this can be made to work again, but there appears to

be no Show quoted text

> > > > path for end users to make this operational." > > > >

> > > > > > Workaround: > > > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > > $smtp, > > > Port => $port, > > > Debug => $debug, > > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > > )) { > > > die "Could not connect to SMTP server\n"; > > > } > > > > > > 2) at line 40 of Net::SMTP: > > > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > > $obj = $type->SUPER::new( > > > %arg, > > > PeerAddr => ($host = $h), > > > PeerPort => $arg{Port} || 'smtp(25)', > > > LocalAddr => $arg{LocalAddr}, > > > LocalPort => $arg{LocalPort}, > > > Proto => 'tcp', > > > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > > > ) > > > and last; > > > } > > >

> > > > Thank you! > > > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with > > your patch. It will be available soon on CPAN and github > > > > > >

Fri Jan 25 05:09:19 2013 PECO [...] cpan.org - Status changed from 'open' to 'patched'

Fri Jan 25 13:35:21 2013 blakesteel [...] gmail.com - Correspondence added

Subject:	Re: [rt.cpan.org #81710] verify errors with Email-Send-SMTP-Gmail-0.32
Date:	Fri, 25 Jan 2013 10:35:09 -0800
To:	bug-Email-Send-SMTP-Gmail [...] rt.cpan.org
From:	blakesteel <blakesteel [...] gmail.com>

I believe you have to expose a way for users of your module to set the certificate file and/or string used to validate the remote certificate against. Both would be useful in case someone wants to use a string or a file. I don't think a patch in this regard is going to be forthcoming from the lower level library. It is going to have to be provided on your end. In the meantime although the current patch temporarily solves our ability to use the module, it again reintroduces the vulnerability whose intent it was to eliminate that caused this incompatibility in the first place. Thanks for your attention to this issue. On Jan 25, 2013 2:09 AM, "Juan Jose San Martin via RT" < bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > Yes, it does :-/ > Then why did I apply the patch? > > 1.- The warning message about SSL_verify_mode is still showing up. > Advice for the user. > 2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE > value), he should only focus on Net::SMTP > 3.- I've created ticket on libnet (the super module that includes > Net::SMTP): > > https://rt.cpan.org/Ticket/Display.html?id=82948&results=b61a27f0d355dee2c747886eb954df4a > 4.- I've inserted a comment on the libnet Github repo to try to catch > their attention. https://github.com/gbarr/perl-libnet/issues/3 > > Is it a final solution? > Obviously not. I hope they release an updated libnet shortly. > > Thanks > > On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote:

> > Doesn't this defeat the point of the original patch that was causing the > > issue? Namely, verifying the certificate is valid to prevent > > man-in-the-middle attacks? Please advise. > > On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < > > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: > >

> > > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:

> > > > El Mié Dic 05 03:41:56 2012, PECO escribió:

> > > > > BTW, here you are a temporal workaround: > > > > > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of the > > > > > parameters, this can be made to work again, but there appears to

> be no

> > > > > path for end users to make this operational." > > > > >

> > > > > > > > Workaround: > > > > > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > > > $smtp, > > > > Port => $port, > > > > Debug => $debug, > > > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > > > )) { > > > > die "Could not connect to SMTP server\n"; > > > > } > > > > > > > > 2) at line 40 of Net::SMTP: > > > > > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > > > $obj = $type->SUPER::new( > > > > %arg, > > > > PeerAddr => ($host = $h), > > > > PeerPort => $arg{Port} || 'smtp(25)', > > > > LocalAddr => $arg{LocalAddr}, > > > > LocalPort => $arg{LocalPort}, > > > > Proto => 'tcp', > > > > Timeout => defined $arg{Timeout} ? $arg{Timeout} : 120, > > > > ) > > > > and last; > > > > } > > > >

> > > > > > Thank you! > > > > > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33) with > > > your patch. It will be available soon on CPAN and github > > > > > > > > >

> > > >

Fri Jan 25 13:35:22 2013 The RT System itself - Status changed from 'patched' to 'open'

Mon Feb 11 07:04:51 2013 PECO [...] cpan.org - Correspondence added

Hello. Due to lack of response from Net::SMTP::SSL, we added TLS support using Net::SMTP::TLS::ButMaintained Then, from release 0.40, Gmail.pm uses TLS with Auth as its default method to connect to SMTP. SSL is also available The module maintains backward compatibility from the viewpoint of the exported subs and its arguments Doc updated Perlcritic passed Thanks El Vie Ene 25 13:35:21 2013, blakesteel@gmail.com escribió: Show quoted text

> I believe you have to expose a way for users of your module to set the > certificate file and/or string used to validate the remote certificate > against. Both would be useful in case someone wants to use a string or > a > file. I don't think a patch in this regard is going to be forthcoming > from > the lower level library. It is going to have to be provided on your > end. In > the meantime although the current patch temporarily solves our ability > to > use the module, it again reintroduces the vulnerability whose intent > it was > to eliminate that caused this incompatibility in the first place. > > Thanks for your attention to this issue. > On Jan 25, 2013 2:09 AM, "Juan Jose San Martin via RT" < > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: >

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > Yes, it does :-/ > > Then why did I apply the patch? > > > > 1.- The warning message about SSL_verify_mode is still showing up. > > Advice for the user. > > 2.- In case the user wants to hack it (assuming the SSL_VERIFY_NONE > > value), he should only focus on Net::SMTP > > 3.- I've created ticket on libnet (the super module that includes > > Net::SMTP): > > > >

> https://rt.cpan.org/Ticket/Display.html?

id=82948&results=b61a27f0d355dee2c747886eb954df4a Show quoted text

> > 4.- I've inserted a comment on the libnet Github repo to try to

> catch

> > their attention. https://github.com/gbarr/perl-libnet/issues/3 > > > > Is it a final solution? > > Obviously not. I hope they release an updated libnet shortly. > > > > Thanks > > > > On Thu Jan 24 22:56:10 2013, blakesteel@gmail.com wrote:

> > > Doesn't this defeat the point of the original patch that was

> causing the

> > > issue? Namely, verifying the certificate is valid to prevent > > > man-in-the-middle attacks? Please advise. > > > On Jan 24, 2013 1:14 PM, "Juan Jose San Martin via RT" < > > > bug-Email-Send-SMTP-Gmail@rt.cpan.org> wrote: > > >

> > > > <URL: https://rt.cpan.org/Ticket/Display.html?id=81710 > > > > > > > > > On Thu Jan 24 15:51:11 2013, explorer@joaquinferrero.com wrote:

> > > > > El Mié Dic 05 03:41:56 2012, PECO escribió:

> > > > > > BTW, here you are a temporal workaround: > > > > > > > > > > > > "By hacking Net::SMTP to pass SSL_verify_mode => 0 as one of

> the

> > > > > > parameters, this can be made to work again, but there

> appears to

> > be no

> > > > > > path for end users to make this operational." > > > > > >

> > > > > > > > > > Workaround: > > > > > > > > > > 1) at line 36 of Email::Send::SMTP::Gmail: > > > > > > > > > > if (not $self->{sender} = Net::SMTP::SSL->new( > > > > > $smtp, > > > > > Port => $port, > > > > > Debug => $debug, > > > > > SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE, > > > > > )) { > > > > > die "Could not connect to SMTP server\n"; > > > > > } > > > > > > > > > > 2) at line 40 of Net::SMTP: > > > > > > > > > > foreach $h (@{ref($hosts) ? $hosts : [$hosts]}) { > > > > > $obj = $type->SUPER::new( > > > > > %arg, > > > > > PeerAddr => ($host = $h), > > > > > PeerPort => $arg{Port} || 'smtp(25)', > > > > > LocalAddr => $arg{LocalAddr}, > > > > > LocalPort => $arg{LocalPort}, > > > > > Proto => 'tcp', > > > > > Timeout => defined $arg{Timeout} ? $arg{Timeout} :

> 120,

> > > > > ) > > > > > and last; > > > > > } > > > > >

> > > > > > > > Thank you! > > > > > > > > I've uploaded the new release of Email::Send::SMTP::Gmail (0.33)

> with

> > > > your patch. It will be available soon on CPAN and github > > > > > > > > > > > >

> > > > > > > >

Mon Feb 11 07:04:57 2013 PECO [...] cpan.org - Status changed from 'open' to 'resolved'