Bug #82992 for IO-Socket-SSL: Don't work with some sites

Sun Jan 27 20:07:41 2013 victor [...] vsespb.ru - Ticket created

Don't work for some sites use strict; use IO::Socket::SSL; my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") || warn "I encountered a problem: ".IO::Socket::SSL::errstr(); print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>; (curl and firefox work fine) See also https://rt.cpan.org/Ticket/Display.html?id=70467

Sun Jan 27 20:08:12 2013 victor [...] vsespb.ru - Correspondence added

(prints I encountered a problem: IO::Socket::INET configuration failed error:00000000:lib(0):func(0):reason(0) at x2.pl line 3. ) On Mon Jan 28 05:07:41 2013, vsespb wrote: Show quoted text

> Don't work for some sites > > use strict; > use IO::Socket::SSL; > my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") > || warn "I encountered a problem: > ".IO::Socket::SSL::errstr(); > print $client "GET / HTTP/1.0\r\n\r\n"; > print <$client>; > > > (curl and firefox work fine) > > See also https://rt.cpan.org/Ticket/Display.html?id=70467

Sun Jan 27 20:08:13 2013 victor [...] vsespb.ru - Status changed from 'new' to 'open'

Sun Jan 27 20:09:18 2013 victor [...] vsespb.ru - Subject changed from (no value) to 'Don't work with some sites'

Mon Jan 28 02:49:10 2013 Steffen_Ullrich [...] genua.de - Correspondence added

Hi, I can't reproduce the problem with the given code. This code implicitly assumes SSL_verify_mode of 0 (and issues a warning about it) but connects w/o problems. I assume, that your real code somehow sets SSL_verify_mode to 1. In this case the connect will fail unless you have also set an SSL_ca_path containing the right CA certificates. On Sun Jan 27 20:07:41 2013, vsespb wrote: Show quoted text

> Don't work for some sites > > use strict; > use IO::Socket::SSL; > my $client = IO::Socket::SSL- >new("www.enrich.malaysiaairlines.com:https") > || warn "I encountered a problem: > ".IO::Socket::SSL::errstr(); > print $client "GET / HTTP/1.0\r\n\r\n"; > print <$client>; > > > (curl and firefox work fine) > > See also https://rt.cpan.org/Ticket/Display.html?id=70467

Mon Jan 28 02:49:11 2013 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'rejected'

Mon Jan 28 05:12:10 2013 victor [...] vsespb.ru - Correspondence added

That was actually my real code. It fails on one of my servers and works fine on another. Also this ticket https://rt.cpan.org/Ticket/Display.html?id=70467 absolutely reproducable. (erro in same line) On Mon Jan 28 11:49:10 2013, SULLR wrote: Show quoted text

> Hi, > I can't reproduce the problem with the given code. > This code implicitly assumes SSL_verify_mode of 0 (and issues a warning > about it) but connects w/o problems. > I assume, that your real code somehow sets SSL_verify_mode to 1. > In this case the connect will fail unless you have also set an > SSL_ca_path containing the right CA certificates. > > On Sun Jan 27 20:07:41 2013, vsespb wrote:

> > Don't work for some sites > > > > use strict; > > use IO::Socket::SSL; > > my $client = IO::Socket::SSL- > >new("www.enrich.malaysiaairlines.com:https") > > || warn "I encountered a problem: > > ".IO::Socket::SSL::errstr(); > > print $client "GET / HTTP/1.0\r\n\r\n"; > > print <$client>; > > > > > > (curl and firefox work fine) > > > > See also https://rt.cpan.org/Ticket/Display.html?id=70467

> >

Mon Jan 28 05:12:12 2013 The RT System itself - Status changed from 'rejected' to 'open'

Mon Jan 28 05:27:55 2013 Steffen_Ullrich [...] genua.de - Correspondence added

On Mon Jan 28 05:12:10 2013, vsespb wrote: Show quoted text

> That was actually my real code. It fails on one of my servers and works > fine on another.

could you please provide me with some more details about the environment, where it fails, and also about the system, where it succeeds, e.g: use strict; use IO::Socket::SSL; printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", $^V, $IO::Socket::SSL::VERSION, $Net::SSLeay::VERSION, Net::SSLeay::OPENSSL_VERSION_NUMBER(); And could you please set $IO::Socket::SSL::DEBUG=10 in your code and send me the output, so that one can better see, where it fails.

Mon Jan 28 05:52:31 2013 victor [...] vsespb.ru - Correspondence added

ONE SERVER: $ perl poc.pl perl=v5.10.1 IO:Socket::SSL=1.81 Net::SSLeay=1.52 openssl=9080bf ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at poc.pl line 6. DEBUG: .../IO/Socket/SSL.pm:1702: new ctx 7860368 DEBUG: .../IO/Socket/SSL.pm:411: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:413: socket connected DEBUG: .../IO/Socket/SSL.pm:431: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:492: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1373: SSL connect attempt failed with unknown error error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message DEBUG: .../IO/Socket/SSL.pm:498: fatal SSL error: SSL connect attempt failed with unknown error error:140773F2:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message DEBUG: .../IO/Socket/SSL.pm:1373: IO::Socket::INET configuration failed error:00000000:lib(0):func(0):reason(0) DEBUG: .../IO/Socket/SSL.pm:1739: free ctx 7860368 open=7860368 DEBUG: .../IO/Socket/SSL.pm:1747: OK free ctx 7860368 I encountered a problem:IO::Socket::INET configuration failed error:00000000:lib(0):func(0):reason(0) at poc.pl line 6. Can't use string ("1") as a symbol ref while "strict refs" in use at poc.pl line 7. $ cat poc.pl use strict; use IO::Socket::SSL; $IO::Socket::SSL::DEBUG=10; printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", $^V, $IO::Socket::SSL::VERSION, $Net::SSLeay::VERSION, Net::SSLeay::OPENSSL_VERSION_NUMBER(); my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") || warn "I encountered a problem:".IO::Socket::SSL::errstr(); print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>; ANOTHER SERVER: $ perl poc.pl perl=v5.14.2 IO:Socket::SSL=1.81 Net::SSLeay=1.42 openssl=1000005f DEBUG: .../IO/Socket/SSL.pm:238: set domain to 2 ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at poc.pl line 6 DEBUG: .../IO/Socket/SSL.pm:1702: new ctx 139587136 DEBUG: .../IO/Socket/SSL.pm:411: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:413: socket connected DEBUG: .../IO/Socket/SSL.pm:431: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:492: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:547: ssl handshake done write_all VM at entry=vm_unknown partial `GET / HTTP/1.0 ' written so far 18:18 bytes (VM=vm_unknown) HTTP/1.1 200 OK Accept-Ranges: bytes ETag: W/"161-1347965911198" Last-Modified: Tue, 18 Sep 2012 10:58:31 GMT Content-Type: text/html Content-Length: 161 Date: Mon, 28 Jan 2013 10:45:31 GMT Connection: close Server: Anonymous Server <html> <head> <meta http-equiv="refresh" content="0;URL=https://www.enrich.malaysiaairlines.com/EnrichWebsite/"> </head> <body> </body> DEBUG: .../IO/Socket/SSL.pm:1739: free ctx 139587136 open=139587136 DEBUG: .../IO/Socket/SSL.pm:1747: OK free ctx 139587136 </html>root@li488-134:/tmp $ cat poc.pl use strict; use IO::Socket::SSL; $IO::Socket::SSL::DEBUG=10; printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", $^V, $IO::Socket::SSL::VERSION, $Net::SSLeay::VERSION, Net::SSLeay::OPENSSL_VERSION_NUMBER(); my $client = IO::Socket::SSL->new("www.enrich.malaysiaairlines.com:https") || warn "I encountered a problem:".IO::Socket::SSL::errstr(); print $client "GET / HTTP/1.0\r\n\r\n"; print <$client>; NOTES: I use code example from your documentation, without Net::SSLeay::VERIFY_NONE(). I am not sure how to use Net::SSLeay::VERIFY_NONE(), because obvious things IO::Socket::SSL->new("google.com:https", SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()) my $client = IO::Socket::SSL->new("google.com:https", {SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()}) crash on both servers. On Mon Jan 28 14:27:55 2013, SULLR wrote: Show quoted text

> On Mon Jan 28 05:12:10 2013, vsespb wrote:

> > That was actually my real code. It fails on one of my servers and

> works

> > fine on another.

> > could you please provide me with some more details about the > environment, where it fails, and also about the system, where it > succeeds, e.g: > > use strict; > use IO::Socket::SSL; > printf "perl=%s IO:Socket::SSL=%s Net::SSLeay=%s openssl=%x\n", > $^V, > $IO::Socket::SSL::VERSION, > $Net::SSLeay::VERSION, > Net::SSLeay::OPENSSL_VERSION_NUMBER(); > > > And could you please set $IO::Socket::SSL::DEBUG=10 in your code and > send me the output, so that one can better see, where it fails. > >

Mon Jan 28 07:06:47 2013 Steffen_Ullrich [...] genua.de - Correspondence added

On Mon Jan 28 05:52:31 2013, vsespb wrote: Show quoted text

> ONE SERVER: > perl=v5.10.1 IO:Socket::SSL=1.81 Net::SSLeay=1.52 openssl=9080bf > ...SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert unexpected message

Show quoted text

> ANOTHER SERVER: > perl=v5.14.2 IO:Socket::SSL=1.81 Net::SSLeay=1.42 openssl=1000005f > ssl handshake done

I doubt that the perl version is relevant here, so this leaves the Net::SSLeay version or the OpenSSL version. Since I use 1.52 to successfully connect to the host I would suggest, that the old openssl version causes the problem. This would not affect firefox (since it does not use openssl) and might not affect curl too (which can use either GnuTLS or OpenSSL). I can reproduce the problem on a system with an older openssl library and a recent version of IO::Socket::SSL. A look at the exchange messages with wireshark gives the following picture: - the server accepts TLSv1.0 records with TLSv1.1 handshakes inside This is used with recent openssl versions, which support TLSv1.1 - the server accepts SSLv2 records with TLSv1.0 handshakes inside This is used when SSL_version is set to 'sslv23' in IO::Socket::SSL. This was the default in older IO::Socket::SSL versions, but for security reasons SSLv2 is now disabled by default, e.g. sslv23:!sslv2 - sslv23:!sslv2 causes on older openssl versions TLSv1.0 records with TLSv1.0 handshakes inside. For some strange reason (maybe misconfiguration) the server does not understand these SSL messages, other servers have no problems. Because you can probably not change the server configuration the following workarounds are possible: - use a newer openssl version which supports TLSv1.1 (openssl>=1.0) - allow SSLv2 by setting SSL_version => 'sslv23'. Note that SSLv2 is disabled for security reasons, so enabling it increases your risk. Show quoted text

> > I use code example from your documentation, without > Net::SSLeay::VERIFY_NONE(). I am not sure how to use > Net::SSLeay::VERIFY_NONE(), because > obvious things > IO::Socket::SSL->new("google.com:https", > SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()) > my $client = IO::Socket::SSL->new("google.com:https", > {SSL_verify_mode=>Net::SSLeay::VERIFY_NONE()}) > > crash on both servers.

The syntax is not class->new(host,%args) but class->new(host) OR class->new(%args) if you want to give other arguments you have to specificy the target with PeerAddr or PeerAddr+PeerPort. This is the same with all the other IO::Socket::* stuff.

Mon Jan 28 07:06:48 2013 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'