Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the Mail-Sender CPAN distribution.

Report information
The Basics
Id: 85438
Status: resolved
Priority: 0/
Queue: Mail-Sender
People
Owner: Nobody in particular
Requestors: alim [...] gmx.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: 0.8.22
Fixed in: (no value)

History Show all quoted text
  Sun May 19 01:48:23 2013 alim [...] gmx.net - Ticket created
Subject: "certificate verify failed" with default settings
In 0.8.22 the case of the 'tls_allowed' attribute was fixed, so the default of 1 is actually effective. But this fix has a problem (besides the fact that the POD still has the upper case 'TLS_allowed'): With this setting, and given that TLS is supported, IO::Socket::SSL tries a hostname verification and for this it needs a ca file which is not found (unless by chance there is a file in 'certs/my-ca.pem'). This in turn leads to a not very informative error message: "Failed to send the message: Connection not established" when trying to send a message in Mail::Sender. So, I think it would be helpful to - fix the documentation to at least make it easy to switch TLS off (tls_allowed => 0, not TLS_allowed) - either allow a parameter to pass the ca_file and/or default e.g. to Mozilla::CA::SSL_ca_file() if Mozilla::CA is installed, else give a hint that it won't work without a ca_file as long as tls_allowed is switched on. - if it still failes, give a better error message. While debugging I inserted a die IO_SOCKET_SSL(IO::Socket::SSL::errstr()) which is also returned in the 0.8.22 code but somehow doesn't make it to STDOUT. This would give a message like "error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" which helps a lot if used in Google. Until this issue is fixed and if someone finds this report having the same problem, here is my temporary fix: use Mozilla::CA; IO::Socket::SSL::set_defaults( SSL_ca_file => Mozilla::CA::SSL_ca_file(), ); -Michael
  Sun Jan 05 13:11:51 2014 Steffen_Ullrich [...] genua.de - Correspondence added
The real problem is, that SSL_verify_mode is explicitly set to 1 (e.g. server should be verified) while there is no SSL_ca_file or SSL_ca_path given where the trusted CAs are stored. Up to IO::Socket::SSL version 1.34 an invalid (e.g. nonexisting) SSL_ca_* setting threw a warning and then set SSL_verify_mode to 0 (disable verification). This wrong behavior (e.g. "silently" disabling wanted verification, CVE-2010-4334) was fixed with version 1.35 in 12/2010, e.g. from now on it caused an error unless there was a CA store in the default locations (ca/ or certs/my-ca.pem). With 1.951 (07/2013) IO::Socket::SSL uses the system default location unless another is defined, so it might magically work again.
  Sun Jan 05 13:11:52 2014 The RT System itself - Status changed from 'new' to 'open'
  Sat Feb 01 11:30:46 2014 alim [...] gmx.net - Correspondence added
From: alim [...] gmx.net
Perhaps it "magically" works in many settings but if not it is not so easy to see what is wrong and how to fix it. One reason is that Mail::Sender uses IO::Socket::SSL under the hood without exposing its interface (or at least important parts of it).
  Tue Jul 15 14:52:46 2014 JENDA [...] cpan.org - Correspondence added
0.8.23 allows you to specify the SSL options and mentions the Mozilla::CA, the verify mode etc. The default verify mode is NONE. Hope this solves the issues, I did not have a chance to test this extensively. Thank you, Jenda
  Tue Jul 15 14:52:47 2014 JENDA [...] cpan.org - Status changed from 'open' to 'resolved'