Skip Menu |

This queue is for tickets about the IO-Async-SSL CPAN distribution.

Report information
The Basics
Id: 81921
Status: resolved
Priority: 0/
Queue: IO-Async-SSL
People
Owner: Nobody in particular
Requestors: barderne [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 0.06
Fixed in: 0.07

History Show all quoted text
  Wed Dec 12 05:48:17 2012 barderne [...] gmail.com - Ticket created
Subject: SSL_VERIFY_PEER is not set
Date: Wed, 12 Dec 2012 11:48:03 +0100
To: bug-IO-Async-SSL [...] rt.cpan.org
From: Vieille Baderne <barderne [...] gmail.com>
This is a bug report for perl from barderne@gmail.com, generated with the help of perlbug 1.39 running under perl 5.16.1. ----------------------------------------------------------------- Since an upgrade, programs based on IO::Async::SSL yields the following error message: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at /home/me/local/perl5/lib/perl5/IO/Async/SSL.pm line 131. [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=library severity=medium --- Site configuration information for perl 5.16.1: Configured by Gentoo at Wed Nov 28 16:51:02 CET 2012. Summary of my perl5 (revision 5 version 16 subversion 1) configuration: Platform: osname=linux, osvers=3.2.0-27-generic, archname=x86_64-linux uname='linux 3.2.0-27-generic #43-ubuntu smp fri jul 6 14:25:57 utc 2012 x86_64 intel(r) xeon(r) cpu e31220 @ 3.10ghz genuineintel gnulinux ' config_args='-des -Duseshrplib -Darchname=x86_64-linux -Dcc=x86_64-pc-linux-gnu-gcc -Doptimize=-O2 -pipe -march=native -mtune=native -Dldflags=-Wl,-O1 -Wl,--as-needed -Dprefix=/usr -Dinstallprefix=/usr -Dsiteprefix=/usr/local -Dvendorprefix=/usr -Dscriptdir=/usr/bin -Dprivlib=/usr/lib64/perl5/5.16.1 -Darchlib=/usr/lib64/perl5/5.16.1/x86_64-linux -Dsitelib=/usr/local/lib64/perl5/5.16.1 -Dsitearch=/usr/local/lib64/perl5/5.16.1/x86_64-linux -Dvendorlib=/usr/lib64/perl5/vendor_perl/5.16.1 -Dvendorarch=/usr/lib64/perl5/vendor_perl/5.16.1/x86_64-linux -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dvendorman1dir=/usr/share/man/man1 -Dvendorman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dlibperl=libperl.so.5.16.1 -Dlocincpth=/usr/include -Dglibpth=/lib64 /usr/lib64 -Duselargefiles -Dd_semctl_semun -Dcf_by=Gentoo -Dmyhostname=localhost -Dperladmin=root@localhost -Dinstallusrbinperl=n -Ud_csh -Uusenm -Di_ndbm -Di_gdbm -Di_db -DDEBUGGING=none -Dinc_version_list=5.16.0/x86_64-linux 5.16.0 -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Dnoextensions=ODBM_File' hint=recommended, useposix=true, d_sigaction=define useithreads=undef, usemultiplicity=undef useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef use64bitint=define, use64bitall=define, uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='x86_64-pc-linux-gnu-gcc', ccflags ='-fno-strict-aliasing -pipe -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -pipe -march=native -mtune=native', cppflags='-fno-strict-aliasing -pipe' ccversion='', gccversion='4.5.4', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='x86_64-pc-linux-gnu-gcc', ldflags ='-Wl,-O1 -Wl,--as-needed' libpth=/usr/local/lib64 /lib64 /usr/lib64 libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc libc=/lib/libc-2.15.so, so=so, useshrplib=true, libperl=libperl.so.5.16.1 gnulibc_version='2.15' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E' cccdlflags='-fPIC', lddlflags='-shared -O2 -pipe -march=native -mtune=native -Wl,-O1 -Wl,--as-needed' Locally applied patches: --- @INC for perl 5.16.1: /home/me/local/perl5/lib/perl5//x86_64-linux /home/me/local/perl5/lib/perl5/ /etc/perl /usr/local/lib64/perl5/5.16.1/x86_64-linux /usr/local/lib64/perl5/5.16.1 /usr/lib64/perl5/vendor_perl/5.16.1/x86_64-linux /usr/lib64/perl5/vendor_perl/5.16.1 /usr/local/lib64/perl5 /usr/lib64/perl5/vendor_perl /usr/lib64/perl5/5.16.1/x86_64-linux /usr/lib64/perl5/5.16.1 . --- Environment for perl 5.16.1: HOME=/home/me LANG=en_US.utf8 LANGUAGE (unset) LD_LIBRARY_PATH=:/home/me/local/usr/lib64:/home/me/local/usr/lib64 LOGDIR (unset) PATH=/home/me/local/usr/ bin/:/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.6.3 PERL5LIB=/home/me/local/perl5/lib/perl5/ PERL_BADLANG (unset) PERL_CPANM_OPT=--local-lib=~/local/perl5 SHELL=/bin/bash
  Sun Dec 16 13:31:27 2012 leonerd-cpan [...] leonerd.org.uk - Correspondence added
Hmm, I have been looking at this but it isn't immediately obvious where to get the CA file from, which it will need to verify the peer cert. -- Paul Evans
  Sun Dec 16 13:31:28 2012 The RT System itself - Status changed from 'new' to 'open'
  Sat Mar 02 19:12:36 2013 leonerd-cpan [...] leonerd.org.uk - Correspondence added
On Sun Dec 16 13:31:27 2012, PEVANS wrote: Show quoted text
> Hmm, I have been looking at this but it isn't immediately obvious where > to get the CA file from, which it will need to verify the peer cert.
Turns out that Mozilla::CA makes this quite simple. Version 0.07 on its way to CPAN now. -- Paul Evans
Subject: rt81921.patch
=== modified file 'lib/IO/Async/SSL.pm' --- lib/IO/Async/SSL.pm 2011-03-08 12:39:45 +0000 +++ lib/IO/Async/SSL.pm 2013-03-02 23:48:12 +0000 @@ -1,7 +1,7 @@ # You may distribute under the terms of either the GNU General Public License # or the Artistic License (the same terms as Perl itself) # -# (C) Paul Evans, 2010-2011 -- leonerd@leonerd.org.uk +# (C) Paul Evans, 2010-2013 -- leonerd@leonerd.org.uk package IO::Async::SSL; @@ -62,8 +62,40 @@ instances, and two forms of C<SSL_upgrade> to upgrade an existing TCP connection to use SSL. +As an additional convenience, if the C<SSL_verify_mode> and C<SSL_ca_file> +options are omitted, the module will attempt to load L<Mozilla::CA> and, if +successful, use it to set C<SSL_VERIFY_PEER>. If C<Mozilla::CA> cannot be +loaded then it will set C<SSL_VERIFY_NONE>. + =cut +my $have_Mozilla_CA; + +sub _SSL_args +{ + my %args = @_; + + # SSL clients (i.e. non-server) require a verify mode + if( !$args{SSL_server} and !defined $args{SSL_verify_mode} and + !defined $args{SSL_ca_file} and !defined $args{SSL_ca_path} ) { + # Try to load Mozilla::CA; but if it fails remember that so we don't + # reload it repeatedly + defined $have_Mozilla_CA or + $have_Mozilla_CA = eval { require Mozilla::CA } || 0; + + if( $have_Mozilla_CA ) { + $args{SSL_verify_mode} = IO::Socket::SSL::SSL_VERIFY_PEER(); + $args{SSL_ca_file} = Mozilla::CA::SSL_ca_file(); + } + else { + carp "Unable to set SSL_VERIFY_PEER because Mozilla::CA is unavailable"; + $args{SSL_verify_mode} = IO::Socket::SSL::SSL_VERIFY_NONE(); + } + } + + return %args; +} + =head1 LOOP METHODS The following extra methods are added to L<IO::Async::Loop>. @@ -122,7 +154,7 @@ my %ssl_params = map { $_ => delete $params{$_} } grep m/^SSL_/, keys %params; - $socket = IO::Socket::SSL->start_SSL( $socket, + $socket = IO::Socket::SSL->start_SSL( $socket, _SSL_args SSL_startHandshake => 0, # Required to make IO::Socket::SSL not ->close before we have a chance to remove it from the loop @@ -223,7 +255,7 @@ my ( $socket ) = @_; $loop->SSL_upgrade( - %ssl_params, + _SSL_args( %ssl_params ), handle => $socket, @@ -299,8 +331,7 @@ my ( $socket ) = @_; $loop->SSL_upgrade( - SSL_server => 1, - %ssl_params, + _SSL_args( SSL_server => 1, %ssl_params ), handle => $socket, === modified file 't/01upgrade.t' --- t/01upgrade.t 2013-03-02 23:15:01 +0000 +++ t/01upgrade.t 2013-03-02 23:19:22 +0000 @@ -36,6 +36,7 @@ $loop->SSL_upgrade( handle => $client_sock, + SSL_verify_mode => 0, on_upgraded => sub { $client_upgraded++ }, on_error => sub { die "Test failed early - $_[-1]" }, @@ -90,6 +91,7 @@ my $client_errored; $loop->SSL_upgrade( handle => $client_sock, + SSL_verify_mode => 0, on_upgraded => sub { die "Test failed early - SSL upgrade succeeded" }, on_error => sub { $client_errored++ }, === modified file 't/02protocol-upgrade.t' --- t/02protocol-upgrade.t 2013-03-02 23:15:01 +0000 +++ t/02protocol-upgrade.t 2013-03-02 23:19:22 +0000 @@ -56,6 +56,7 @@ ); $client_proto->SSL_upgrade( + SSL_verify_mode => 0, on_upgraded => sub { $client_upgraded++ }, on_error => sub { die "Test failed early - $_[-1]" }, ); === modified file 't/03cross.t' --- t/03cross.t 2013-03-02 23:15:01 +0000 +++ t/03cross.t 2013-03-02 23:19:22 +0000 @@ -47,6 +47,8 @@ host => "localhost", service => $port, + SSL_verify_mode => 0, + on_connected => sub { $connected_sock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, @@ -166,6 +168,8 @@ host => "localhost", service => $port, + SSL_verify_mode => 0, + on_connected => sub { $connected_sock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, @@ -217,6 +221,8 @@ host => "localhost", service => $port, + SSL_verify_mode => 0, + on_connected => sub { $connected_sock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, @@ -260,6 +266,8 @@ host => "localhost", service => $port, + SSL_verify_mode => 0, + on_connected => sub { $connected_sock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, === modified file 't/10connect-openssl.t' --- t/10connect-openssl.t 2013-03-02 23:15:01 +0000 +++ t/10connect-openssl.t 2013-03-02 23:19:22 +0000 @@ -65,6 +65,8 @@ host => "localhost", service => "4433", # openssl s_server's default + SSL_verify_mode => 0, + on_connected => sub { $sslsock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, === modified file 't/10connect-socat.t' --- t/10connect-socat.t 2013-03-02 23:15:01 +0000 +++ t/10connect-socat.t 2013-03-02 23:19:22 +0000 @@ -65,6 +65,8 @@ host => "localhost", service => "4434", + SSL_verify_mode => 0, + on_connected => sub { $sslsock = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" }, === modified file 't/20stream.t' --- t/20stream.t 2013-03-02 23:15:01 +0000 +++ t/20stream.t 2013-03-02 23:19:22 +0000 @@ -43,6 +43,8 @@ host => "localhost", service => "4433", + SSL_verify_mode => 0, + on_stream => sub { $c_stream = shift }, on_resolve_error => sub { die "Cannot resolve - $_[-1]\n" },
  Sat Mar 02 19:12:37 2013 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'patched'
  Sat Mar 02 19:12:51 2013 leonerd-cpan [...] leonerd.org.uk - Severity Normal added
  Sat Mar 02 19:12:51 2013 leonerd-cpan [...] leonerd.org.uk - Broken in 0.06 added
  Sun Mar 03 10:27:44 2013 leonerd-cpan [...] leonerd.org.uk - Correspondence added
Now released as 0.07. -- Paul Evans
  Sun Mar 03 10:27:45 2013 The RT System itself - Status changed from 'patched' to 'open'
  Sun Mar 03 10:27:45 2013 leonerd-cpan [...] leonerd.org.uk - Status changed from 'open' to 'resolved'
  Sun Mar 03 10:28:05 2013 leonerd-cpan [...] leonerd.org.uk - Fixed in 0.07 added