Bug #84376 for Net-FTPSSL: SSL_Client_Certificate not reused on data channel

Tue Apr 02 10:50:10 2013 gortan [...] cpan.org - Ticket created

Subject:

SSL_Client_Certificate not reused on data channel

I'm currently implementing a small FTPS download script, using NET::FTPSSL version 0.22 and IO::Socket::SSL version 1.84. Since v1.79, IO::Socket::SSL generates a warning when a connection is opened without peer verification turned on. As a response to this warning, I create my Net::FTPSSL instance like this: my $ftps = Net::FTPSSL->new ($host, SSL_Client_Certificate => {SSL_verify_mode => SSL_VERIFY_PEER, SSL_ca_path => '/etc/ssl/certs'}); This works fine, I can connect and login without any trouble and no warning is shown. However, as soon as a data connection is required (e.g. when issuing $ftps->list), I receive the warning of IO::Socket::SSL: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* After digging a bit into the NET::FTPSSL code, I think that the data connection is supposed to reuse the context of the command connection - this seems not to be working, otherwise this warning would not be shown.

Tue Apr 02 12:27:39 2013 CLEACH [...] cpan.org - Correspondence added

Hi Philipp, You caught me at a good time. I'm currently working on the next release of my module. But in order to assist you I'm going to need a copy of the log file that gets generated when you run your program. You'll need the following added to the new() call. Debug => 1, DebugLogFile => "myLogFile.txt" Then send me the generated log file. This should provide me useful information in trying to see what is happening. Curtis On Tue Apr 02 10:50:10 2013, gortan@gmail.com wrote: Show quoted text

> I'm currently implementing a small FTPS download script, using > NET::FTPSSL version 0.22 and IO::Socket::SSL version 1.84. > > Since v1.79, IO::Socket::SSL generates a warning when a connection is > opened without peer verification turned on. As a response to this > warning, I create my Net::FTPSSL instance like this: > > my $ftps = Net::FTPSSL->new > ($host, SSL_Client_Certificate => > {SSL_verify_mode => SSL_VERIFY_PEER, SSL_ca_path => > '/etc/ssl/certs'}); > > This works fine, I can connect and login without any trouble and no > warning is shown. However, as soon as a data connection is required > (e.g. when issuing $ftps->list), I receive the warning of > IO::Socket::SSL: > > ******************************************************************* > Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client > is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER > together with SSL_ca_file|SSL_ca_path for verification. > If you really don't want to verify the certificate and keep the > connection open to Man-In-The-Middle attacks please set > SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. > ******************************************************************* > > After digging a bit into the NET::FTPSSL code, I think that the data > connection is supposed to reuse the context of the command > connection - this seems not to be working, otherwise this warning > would not be shown.

Tue Apr 02 12:27:40 2013 The RT System itself - Status changed from 'new' to 'open'

Thu Apr 04 12:32:25 2013 gortan [...] cpan.org - Correspondence added 15 min

Dear Curtis, I've uploaded the debug file as requested. Since it's not my server, I removed the server details, hope that's OK with you... Philipp

Subject:

myLogFile.txt

Net-FTPSSL Version: 0.22 Perl: 5.012004 [5.12.4], OS: linux Server (port): XXXXX (21) Keys: (Debug), (SSL_Client_Certificate), (DebugLogFile) Values: (1), (HASH(0x1261d38)), (/tmp/myLogFile.txt) SKT <<< 220 Wing FTP Server ready... SKT >>> AUTH TLS SKT <<< 234 AUTH command OK. Initializing TLS connection. Object Net::FTPSSL Details ... (XXXXX:21 - E) Croak ==> (undef) Crypt ==> E EmulateBug ==> 0 FixGetTs ==> 0 FixPutTs ==> 0 Host ==> XXXXX OverridePASV ==> (undef) Pret ==> 0 _SSL_arguments ==> HASH(0x1832eb8) -- PeerAddr ===> XXXXX -- PeerPort ===> 21 -- Proto ===> tcp -- SSL_ca_path ===> /etc/ssl/certs -- SSL_check_crl ===> 0 -- SSL_cipher_list ===> ALL:!LOW -- SSL_honor_cipher_order ===> 0 -- SSL_server ===> 0 -- SSL_use_cert ===> 0 -- SSL_verify_mode ===> 1 -- SSL_version ===> TLSv1 _SSL_ctx ==> IO::Socket::SSL::SSL_Context=HASH(0x186f7e0) -- context ===> 25532960 _SSL_fileno ==> 5 _SSL_ioclass_upgraded ==> IO::Socket::INET _SSL_last_err ==> SSL wants a read first _SSL_object ==> 25631888 _SSL_opened ==> 1 buf_size ==> 10240 data_prot ==> P dcsc_mode ==> 1 debug ==> 2 ftpssl_filehandle ==> GLOB(0x1261df8) io_socket_domain ==> 2 io_socket_proto ==> 6 io_socket_timeout ==> 120 io_socket_type ==> 1 last_ftp_msg ==> 234 AUTH command OK. Initializing TLS connection. myContext ==> HASH(0x168b918) -- SSL_reuse_ctx ===> IO::Socket::SSL::SSL_Context=HASH(0x186f7e0) -- context ----> 25532960 mySocketOpts ==> HASH(0x1678c60) -- PeerAddr ===> XXXXX -- PeerPort ===> 21 -- Proto ===> tcp -- Timeout ===> 120 trace ==> 0 type ==> A >>> USER +++++++ <<< 331 Password required for <++++++> >>> PASS ******* <<< 230 User <++++++> logged in. >>> PBSZ 0 <<< 200 Command okay. PBSZ=0. >>> PROT P <<< 200 Encrypting Data Channel. >>> PASV <<< 227 Entering Passive Mode (XXXXX,250,194) --- Host (XXXXX) Port (64194) >>> RETR vb1301_erg.txt <<< 150 Data connection accepted; transfer starting for vb1301_erg.txt (61712 Bytes). <<< 226 File sent ok.Transfer bytes:61712Bytes;Average speed is:60.266KB/s

Thu Apr 04 14:58:58 2013 CLEACH [...] cpan.org - Correspondence added

Hi Philip, Thank you for the logs. I'm fine with you masking out your server info. I may do the masking myself in a future release like I currently do for the user name & password pair. I've looked at your logs, and the download seems to have worked fine. That the message you are getting is just a warning of something being depreciated in IO:Socket:SSL during a call to configure_SSL(). That said, I'll see if I can figure out why you are getting the warning in the next few days or so. It seems to be generated during the call to IO::Socket::SSL->start_SSL () in _get_data_channel(). A quick look suggests that configure_SSL() doesn't like being passed just a context in the newer releases of this module. But if it's a bug in start_SSL(), I may not be able to do much about it. But are you willing to run some beta code to try out different things? The last time I had to work on this type of problem it was a real bear to resolve. Curtis On Thu Apr 04 12:32:25 2013, gortan@gmail.com wrote: Show quoted text

> Dear Curtis, > > I've uploaded the debug file as requested. Since it's not my server, I > removed the server details, hope that's OK with you... > > Philipp

Thu Apr 04 15:30:00 2013 gortan [...] cpan.org - Correspondence added

Sure, just let me know if I can help!

Tue Apr 16 21:38:17 2013 CLEACH [...] cpan.org - Correspondence added

Hi Philip, This is to let you know that I haven't forgotten about your warnings with my Net-FTPSSL module. After looking into things a bit more closely, I've opened a bug report against IO-Socket-SSL, which I believe is doing the test for generating the warning incorrectly based on the comments in the code. Either that or I'm misunderstanding something. Hopefully I'll hear back from them soon about this. It's Bug ID # 84686, which you can look up via the IO-Socket-SSL module if you'd like to track my progress on that front. I'll give you a heads up when I hear more about this Bug Id I just created. Curtis On Thu Apr 04 15:30:00 2013, gortan@gmail.com wrote: Show quoted text

> Sure, just let me know if I can help!

Wed Apr 17 11:56:21 2013 CLEACH [...] cpan.org - Correspondence added

Hi Phillip, Some good news. I was right and the warning was due to a bug in IO-Socket-SSL and it's just been fixed! You can download & install v1.86 of IO-Socket-SSL and your issue should be fixed! Please give me a heads up if this resolves your issue. I'll be closing this ticket latter on in the week unless I hear back from you that there is still an issue. Thanks for reporting the problem! Curtis On Tue Apr 16 21:38:17 2013, CLEACH wrote: Show quoted text

> Hi Philip, > > This is to let you know that I haven't forgotten about your warnings > with my Net-FTPSSL module. > > After looking into things a bit more closely, I've opened a bug report > against IO-Socket-SSL, which I believe is doing the test for > generating the warning incorrectly based on the comments in the > code. Either that or I'm misunderstanding something. > > Hopefully I'll hear back from them soon about this. It's Bug ID # > 84686, which you can look up via the IO-Socket-SSL module if you'd > like to track my progress on that front. I'll give you a heads up > when I hear more about this Bug Id I just created. > > Curtis > > On Thu Apr 04 15:30:00 2013, gortan@gmail.com wrote:

> > Sure, just let me know if I can help!

>

Thu Apr 18 06:20:47 2013 gortan [...] cpan.org - Correspondence added 15 min

Show quoted text

> Please give me a heads up if this resolves your issue. I'll be > closing this ticket latter on in the week unless I hear back from you > that there is still an issue.

Thanks, Curtis! The issue if resolved once I upgrade IO::Socket::SSL to 1.86.

Thu Apr 18 11:55:07 2013 CLEACH [...] cpan.org - Status changed from 'open' to 'resolved'

Thu Apr 18 11:55:08 2013 CLEACH [...] cpan.org - Fixed in 0.22 added

Thu Apr 18 11:55:08 2013 CLEACH [...] cpan.org - Severity Unimportant added