Bug #87637 for AnyEvent: AnyEvent::TLS failing to verify certs IO::Socket::SSL and FireFox can verify.

Mon Aug 05 21:25:05 2013 IKEGAMI [...] cpan.org - Ticket created

Subject:

AnyEvent::TLS failing to verify certs IO::Socket::SSL and FireFox can verify.

When using tls_ctx => { verify => 1, verify_peername => 'http', ca_file => Mozilla::CA::SSL_ca_file(), }, AnyEvent fails to connect to rpc.blockchain.info with the error ssl3_get_server_certificate: certificate verify failed IO::Socket::SSL has no problem connection with the same settings: SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER, # 1 SSL_verifycn_scheme => 'http', SSL_ca_file => Mozilla::CA::SSL_ca_file(), I narrowed the problem to a difference in the values returned by Net::SSLeay::X509_get_subjectAltNames. For AnyEvent::TLS, Net::SSLeay::X509_get_subjectAltNames($cert) returns 0 2 1 'blockchain.info' 2 2 3 'www.blockchain.info' For IO::Socket::SSL, Net::SSLeay::X509_get_subjectAltNames($cert) returns 0 2 1 '*.blockchain.info' 2 2 3 'blockchain.info' I have no idea how to determine why the returned values are different. - Eric "ikegami" Brine

Subject:

c.pl

use strict; use warnings; use feature qw( say ); use AnyEvent qw( ); use AnyEvent::Handle qw( ); use Data::Dumper qw( Dumper ); use IO::Socket::SSL qw( ); use Mozilla::CA qw( ); sub Dump { local $Data::Dumper::Useqq = 1; local $Data::Dumper::Terse = 1; local $Data::Dumper::Indent = 0; return Dumper($_[0]); } # --- my $done = AnyEvent->condvar(); my $handle = AnyEvent::Handle->new( connect => [ 'rpc.blockchain.info', 'https' ], tls => 'connect', tls_ctx => { verify => 1, verify_peername => 'http', ca_file => Mozilla::CA::SSL_ca_file(), }, on_eof => sub { my $self = shift; say "AnyEvent::TLS: ok"; $self->destroy; $done->send; }, on_error => sub { my $self = shift; say "AnyEvent::TLS: ", Dump(\@_); $self->destroy; $done->send; }, ); $handle->push_write("GET / HTTP/1.0\r\n\r\n"); $done->recv(); # --- my $sock = IO::Socket::SSL->new( PeerHost => 'rpc.blockchain.info', PeerPort => 'https', SSL_verify_mode => 1, # IO::Socket::SSL::SSL_VERIFY_PEER SSL_verifycn_scheme => 'http', SSL_ca_file => Mozilla::CA::SSL_ca_file(), ); say "IO::Socket::SSL: ", $sock ? "ok" : "Failed connect or ssl handshake: $!,$IO::Socket::SSL::SSL_ERROR";

Tue Aug 06 04:21:48 2013 schmorp [...] schmorp.de - Correspondence added

Subject:	Re: [rt.cpan.org #87637] AnyEvent::TLS failing to verify certs IO::Socket::SSL and FireFox can verify.
Date:	Tue, 6 Aug 2013 10:21:31 +0200
To:	ikegami via RT <bug-AnyEvent [...] rt.cpan.org>
From:	Marc Lehmann <schmorp [...] schmorp.de>

Hi! Please send your bug report it to the official contact/author address for the module in question (or send it to rt.cpan.org@schmorp.de, that's fine as well). What follows is the rationale for this request, you don't have to read it if you don't care. Why is this necessary? rt.cpan.org has many deficiencies which makes it tedious and hard to use, increasing the workload on the people who provide all the perl modules you probably appreciate (and that is really to be avoided - module authors should be able to invest all their time into improving their modules and not fighting with rt.cpan.org's bugs). Still, for some people, rt.cpan.org is useful to have, and some people even like it and really want to use it. That is fine, too. Unfortunately, the designers of rt.cpan.org didn't make their "service" optional - you can neither opt-in nor opt-out of rt.cpan.org as a module author. Just like a spammer, rt.cpan.org forces its "service" (whether wanted or unwanted) on everybody. Just like a spammer, they don't care for the people they actively hurt. Just like a spammer, they don't don't care to fix these issues and make their "service" ethically acceptable. You cannot even configure it to redirect tickets to somewhere else. Unfortunately, ignoring rt.cpan.org is not an option either: for people reporting possible bugs there is no indication that their report will be ignored, and for module authors it means they miss potentially vital bug reports such as yours (and of course it's a great impression if rt.cpan.org has lots of bug reports that are unanswered, making a module look unmaintained when in fact the opposite might be true). I am sorry that this wasted a bit of your time, but please understand that I am just as much a victim as you are - the problem is the unethical stance of the rt.cpan.org providers who force their "service" on everybody. Please redirect your bug report as stated in the beginning of this mail, and please consider petitioning the rt.cpan.org providers to stop their unethical behaviour and allow opt-in, opt-out, or some redirect option. One last issue: many people mail me that this can be "fixed" by including the bugtracker element in my module meta file. This is not true: 1. This field only affects search.cpan.org and maybe similar services. (Many people confuse rt.cpan.org with search.cpan.org for some reason). 2. It doesn't even work (there are still links to rt.cpan.org displayed). 3. Even if search.cpan.org does no longer display the link, it doesn't actually affect rt.cpan.org (and tests have shown that people go to rt.cpan.org regardless) Even *iff* rt.cpan.org would start listening on the bugtracker field, however, it's still wrong. I have a lot of modules, and each time a service like rt.cpan.org comes out, I would have to make dummy releases for all my modules. This not only creates a lot of extra work for me (I take releases very seriously) but also users, who would wonder why there is a new release. Thanks a lot, Marc Lehmann <rt.cpan.org@schmorp.de> Last updated: 2012-04-22

Tue Aug 06 04:21:49 2013 The RT System itself - Status changed from 'new' to 'open'

Tue Aug 06 10:04:08 2013 ikegami [...] adaelis.com - Correspondence added

CC:	IKEGAMI [...] cpan.org
Subject:	Re: [rt.cpan.org #87637] AnyEvent::TLS failing to verify certs IO::Socket::SSL and FireFox can verify.
Date:	Tue, 6 Aug 2013 10:03:53 -0400
To:	bug-AnyEvent [...] rt.cpan.org
From:	Eric Brine <ikegami [...] adaelis.com>

On Tue, Aug 6, 2013 at 4:21 AM, Marc Lehmann via RT < bug-AnyEvent@rt.cpan.org> wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=87637 > > > Hi! > > Please send your bug report it to the official contact/author address for > the module in question (or send it to rt.cpan.org@schmorp.de, that's fine > as well). What follows is the rationale for this request, you don't have > to read it if you don't care. >

Gladly, but you'll need to specify what it is as the distribution [ http://cpansearch.perl.org/src/MLEHMANN/AnyEvent-7.04/META.json] does not, and neither does your email.

Tue Aug 06 21:52:50 2013 IKEGAMI [...] cpan.org - Status changed from 'open' to 'rejected'

Tue Aug 06 21:55:36 2013 IKEGAMI [...] cpan.org - Correspondence added

From the author: Show quoted text

> I have no idea how to determine why the returned values are different.

Me neither, but it unlikely has anything to do with AnyEvent::TLS, but depends solely on the server in question replying with the wrong certificate. A vague guess would be that maybe SNI is disabled and that confuses the server, but that is still simply a buggy server (and bound to trip a lot of code, as SNI isn't common). In other words, AnyEvent::TLSD might simply use different/tighter security defaults than IO::Socket::SSL. Maybe the server wants tls1.2 when ae::tls offers sslv3 and then fails to negotiate, or it can't cope with th sslv2 connect etc. Your best bet is to contact the admin of the buggy server in question and ask them to fix their certificate, or, failing that, disabling verification.