Bug #90459 for perl-ldap: SSL fails after plain text + STARTTLS

Sun Nov 17 15:50:25 2013 klara.mall [...] kit.edu - Ticket created

Subject:	SSL fails after plain text + STARTTLS
Date:	Sun, 17 Nov 2013 21:50:08 +0100
To:	<bug-perl-ldap [...] rt.cpan.org>
From:	Klara Mall <klara.mall [...] kit.edu>

Hi, whenever I first connect to an LDAP server with plaintext + STARTTLS and after that to a different LDAP server with SSL, the verification of the certificate in the second connection fails. Example code: ----------------------------------------------------------------- #!/usr/bin/perl -w use IO::Socket::SSL qw(debug3); my $tls_host = "kit-dc-04.kit.edu"; my $ssl_host = "kit-ad.scc.kit.edu"; require Net::LDAP; my $ldap_tls = Net::LDAP->new( $tls_host, port => 389, timeout => 3); $ldap_tls-> start_tls( verify => 'require', cafile => 'ca.pem'); require Net::LDAPS; my $ldap_ssl = Net::LDAPS->new( $ssl_host, port => 636, timeout => 3, verify => 'require', cafile => 'ca.pem'); ----------------------------------------------------------------- Result: ----------------------------------------------------------------- DEBUG: .../IO/Socket/SSL.pm:1653: new ctx 22392624 DEBUG: .../IO/Socket/SSL.pm:1061: start handshake DEBUG: .../IO/Socket/SSL.pm:383: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:433: set socket to non-blocking to enforce timeout=3 DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22397184 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22521520 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22513408 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22421632 DEBUG: .../IO/Socket/SSL.pm:1201: scheme=ldap cert=22421632 DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-dc-04.kit.edu alt=2 kit-dc-04.kit.edu 2 kit-dc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> 1 DEBUG: .../IO/Socket/SSL.pm:501: ssl handshake done DEBUG: .../IO/Socket/SSL.pm:1653: new ctx 22444320 DEBUG: .../IO/Socket/SSL.pm:363: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:365: socket connected DEBUG: .../IO/Socket/SSL.pm:383: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:433: set socket to non-blocking to enforce timeout=3 DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:456: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:466: waiting for fd to become ready: SSL wants a read first DEBUG: .../IO/Socket/SSL.pm:486: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22556704 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22677424 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22669216 DEBUG: .../IO/Socket/SSL.pm:1641: ok=1 cert=22570864 DEBUG: .../IO/Socket/SSL.pm:1201: scheme=ldap cert=22570864 DEBUG: .../IO/Socket/SSL.pm:1210: identity=kit-dc-04.kit.edu cn=kit-ad.scc.kit.edu alt=1 f5@scc.kit.edu DEBUG: .../IO/Socket/SSL.pm:446: Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:1328: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:452: fatal SSL error: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed DEBUG: .../IO/Socket/SSL.pm:1328: IO::Socket::IP configuration failed error:00000000:lib(0):func(0):reason(0) DEBUG: .../IO/Socket/SSL.pm:1690: free ctx 22444320 open=22444320 22392624 DEBUG: .../IO/Socket/SSL.pm:1695: free ctx 22444320 callback DEBUG: .../IO/Socket/SSL.pm:1698: OK free ctx 22444320 DEBUG: .../IO/Socket/SSL.pm:1690: free ctx 22392624 open=22392624 DEBUG: .../IO/Socket/SSL.pm:1695: free ctx 22392624 callback DEBUG: .../IO/Socket/SSL.pm:1698: OK free ctx 22392624 ----------------------------------------------------------------- I was not sure if this is a bug in IO::Socket::SSL or in Net::LDAP, so I first wrote to bug-IO-Socket-SSL@rt.cpan.org. Steffen told me the following: Show quoted text

> From my understanding it is a bug in Net::LDAP. In > Net::LDAP::start_tls it applies the ssl specific settings, > including SSL_verifycn_name, not only to the socket, but globally: > > 1053 sub start_tls { > ... > 1085 IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } ); > 1086 my $sock_class = ref($sock); > 1087 > 1088 return $mesg > 1089 if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)}); > > The line 1085 is what causes the problem. > Additionally SSL_verifycn_name is only set if > _SSL_context_init_args is called from within start_tls, not from > connect_ldaps (e.g. Net::LDAPS->new). So the latter call to > Net::LDAPS->new will reuse the hostname for verification from the > earlier start_tls call. > > > Because in line 1089 the SSL upgrade of the socket is done with > all SSL specific settings (which only apply to the socket) there > should be no need for the global settings at all, so line 1085 > should simply be removed. > > The code in IO::Socket::SSL is at least in this regard correct: > because the default and global ssl settings need to be applied > when creating the socket (e.g. ciphers...) they must be mixed into > the user supplied args before creating the socket. > > So please try to remove line 1085 from Net::LDAP and see if it > fixes the problem.

I verified: removing line 1085 from Net::LDAP does fix the problem. Regards Klara

Mon Dec 09 09:06:00 2013 MARSCHAP [...] cpan.org - Correspondence added

Hi, On Sun Nov 17 15:50:25 2013, klara.mall@kit.edu wrote: Show quoted text

> ... > I verified: removing line 1085 from Net::LDAP does fix the problem.

Thanks for your report and sorry for the delay (real life ...) It should be fixed in the next version which I hope to release in December. Best Peter

Mon Dec 09 09:06:01 2013 The RT System itself - Status changed from 'new' to 'open'

Sat Dec 14 11:28:59 2013 MARSCHAP [...] cpan.org - Correspondence added

Hi, please have a look at https://github.com/perl-ldap/perl-ldap/commits/next It contains the changes intended for the next release of perl-ldap, and I think the bug you reported is patched there. Please test Peter

Sat Dec 14 11:29:00 2013 MARSCHAP [...] cpan.org - Status changed from 'open' to 'patched'

Sat Dec 14 16:56:29 2013 klara.mall [...] kit.edu - Correspondence added

Subject:	Re: [rt.cpan.org #90459] SSL fails after plain text + STARTTLS
Date:	Sat, 14 Dec 2013 22:56:14 +0100
To:	Peter Marschall via RT <bug-perl-ldap [...] rt.cpan.org>
From:	Klara Mall <klara.mall [...] kit.edu>

Hi Peter, yes, the bug is patched there. My testing was successful. Thank you very much! Regards Klara On Sat, Dec 14, 2013 at 05:28:59PM +0100, Peter Marschall via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=90459 > > > Hi, > > please have a look at > https://github.com/perl-ldap/perl-ldap/commits/next > It contains the changes intended for the next release of perl-ldap, > and I think the bug you reported is patched there. > > Please test > Peter >

Tue Dec 24 15:44:24 2013 MARSCHAP [...] cpan.org - Status changed from 'patched' to 'resolved'

Tue Dec 24 15:44:25 2013 MARSCHAP [...] cpan.org - Fixed in 0.58 added