7:28 a.m.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Bug ID: 1532250
Summary: perl-Net-SSLeay fails to connect to some SSL servers
Product: Fedora
Version: 27
Component: perl-Net-SSLeay
Assignee: paul(a)city-fan.org
Reporter: mal(a)gromco.com
QA Contact: extras-qa(a)fedoraproject.org
CC: jose.p.oliveira.oss(a)gmail.com, kasal(a)ucw.cz,
paul(a)city-fan.org, perl-devel(a)lists.fedoraproject.org
In F26 F27 compiled
perl-Net-SSLeay-1.82-1.fc26.x86_64
fails to connect to some SSL servers, , but to the other can connect OK
Below is a test case and two examples.
www.google.com perl-Net-SSLeay connects OK
www.halstead.com perl-Net-SSLeay fails.
Code example xu.pl is below.
This works OK
perl -w xu.pl 'www.google.com'
And this one fails, and without any meaningful diag
perl -w xu.pl www.halstead.com
P.S. strange thing that this works OK
my($page) = Net::SSLeay::get_https('www.halstead.com', 443, '/');
------- sample code xu.pl ----
use strict;
require Net::SSLeay;
require IO::Socket::SSL;
#require IO::Socket::SSL qw(debug9);
$Net::SSLeay::trace = 3;
$Net::SSLeay::linux_debug =3 ;
# simple client
my $cl = IO::Socket::SSL->new($ARGV[0].":443");
print{*STDERR} "CL=",$cl,"\n";
print $cl "GET / HTTP/1.0\r\n\r\n";
print <$cl>;
----- end sample code -------------
This works OK
perl -w xu.pl 'www.google.com'
And this one fails, and without any Net::SSLeay diag, only SSL.pm
perl -w xu.pl www.halstead.com
Name "Net::SSLeay::trace" used only once: possible typo at xu.pl line 6.
Name "Net::SSLeay::linux_debug" used only once: possible typo at xu.pl line 7.
DEBUG: .../IO/Socket/SSL.pm:2764: new ctx 24108480
DEBUG: .../IO/Socket/SSL.pm:616: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:618: socket connected
DEBUG: .../IO/Socket/SSL.pm:641: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:674: using SNI with hostname www.halstead.com
DEBUG: .../IO/Socket/SSL.pm:709: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:743: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:746: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed
DEBUG: ...erl5/IO/Socket.pm:49: ignoring less severe local error
'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed'
DEBUG: .../IO/Socket/SSL.pm:2786: free ctx 24108480 open=24108480
DEBUG: .../IO/Socket/SSL.pm:2790: free ctx 24108480 callback
DEBUG: .../IO/Socket/SSL.pm:2797: OK free ctx 24108480
CL=Use of uninitialized value $cl in print at xu.pl line 11.
Can't use an undefined value as a symbol reference at xu.pl line 12.
--
You are receiving this mail because:
You are on the CC list for the bug.
9:58 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #1 from Paul Howarth <paul(a)city-fan.org> ---
The problem here is that the target server doesn't support newer SSL
protocols/ciphers, and the ones it does support are below the standard required
by the system-wide crypto policy (see
https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented in
Fedora's perl-IO-Socket-SSL package (this is why your use of raw Net::SSLeay
works, and IO::Socket::SSL doesn't).
I can make it work by changing the IO::Socket::SSL->new() invocation to this:
my $cl = IO::Socket::SSL->new(
PeerHost => $ARGV[0],
PeerPort => 'https',
SSL_cipher_list => 'DES-CBC3-SHA'
);
A useful debugging tool for this is analyze-ssl.pl, which you can get from
https://github.com/noxxi/p5-ssl-tools (this is from the upstream maintainer of
IO::Socket::SSL).
Example output:
$ perl analyze-ssl.pl www.halstead.com:443
-- www.halstead.com port 443
! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey
City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey
City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
* maximum SSL version : TLSv1 (SSLv23)
* supported SSL versions with handshake used and preferred cipher(s):
* handshake protocols ciphers
* SSLv23 TLSv1 DES-CBC3-SHA
* TLSv1_2 FAILED: SSL connect attempt failed error:1417110A:SSL
routines:tls_process_server_hello:wrong ssl version SSL connect attempt failed
* TLSv1_1 FAILED: SSL connect attempt failed error:1417110A:SSL
routines:tls_process_server_hello:wrong ssl version
* TLSv1 TLSv1 DES-CBC3-SHA
* SSLv3 SSLv3 DES-CBC3-SHA
* cipher order by : unknown
* SNI supported : ok
* certificate verified : ok
* chain on 209.173.134.149
* [0/0] bits=2048, ocsp_uri=http://ocsp.netsolssl.com,
/C=US/postalCode=10065/ST=NY/L=New York/street=770 Lexington Ave/O=Halstead
Property/OU=Web/OU=Secure Link SSL Wildcard/CN=*.halstead.com
SAN=DNS:*.halstead.com,DNS:halstead.com
* [1/1] bits=2048, ocsp_uri=http://ocsp.usertrust.com,
/C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server
CA 2
* [2/-] bits=4096, ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification
Authority
* [-/2] bits=4096, ocsp_uri=, /C=US/ST=New Jersey/L=Jersey City/O=The
USERTRUST Network/CN=USERTrust RSA Certification Authority
* OCSP stapling : no stapled response
* OCSP status : good (soft error: http://ocsp.usertrust.com: OCSP
response failed: internalerror; subject: /C=US/ST=VA/L=Herndon/O=Network
Solutions L.L.C./CN=Network Solutions OV Server CA 2; /C=US/ST=New
Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Au
thority)
--
You are receiving this mail because:
You are on the CC list for the bug.
10:37 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #2 from Need Real Name <mal(a)gromco.com> ---
Thank you, Paul. I will fix the script with the
SSL_cipher_list => 'DES-CBC3-SHA'
that you recommended, I have no control over the site www.halstead.com
My bug report was mostly about perl-Net-SSLeay cryptic error message:
DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed
I think that perl-Net-SSLeay can be much improved by making better SSL error
messages.
--
You are receiving this mail because:
You are on the CC list for the bug.
10:44 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #3 from Paul Howarth <paul(a)city-fan.org> ---
Requests for enhancements to Net::SSLeay's error messages would be best off
directed to the upstream maintainer. The documentation suggests
https://alioth.debian.org/projects/net-ssleay but
https://rt.cpan.org/Public/Dist/Display.html?Name=net-ssleay would probably
work too.
--
You are receiving this mail because:
You are on the CC list for the bug.
2:39 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Petr Pisar <ppisar(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ppisar(a)redhat.com
--- Comment #4 from Petr Pisar <ppisar(a)redhat.com> ---
(In reply to Paul Howarth from comment #1)
The problem here is that the target server doesn't support newer
SSL
protocols/ciphers, and the ones it does support are below the standard
required by the system-wide crypto policy (see
https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented
in Fedora's perl-IO-Socket-SSL package (this is why your use of raw
Net::SSLeay works, and IO::Socket::SSL doesn't).
I can make it work by changing the IO::Socket::SSL->new() invocation to this:
my $cl = IO::Socket::SSL->new(
PeerHost => $ARGV[0],
PeerPort => 'https',
SSL_cipher_list => 'DES-CBC3-SHA'
);
I'm not sure. "openssl s_client -connect www.halstead.com:443"
works. And
DES-CBC3-SHA has not yet been disabled in the global cryptopolicy
<https://bugzilla.redhat.com/show_bug.cgi?id=1487607#c6>;.
--
You are receiving this mail because:
You are on the CC list for the bug.
3:04 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #5 from Paul Howarth <paul(a)city-fan.org> ---
I'm not sure it's the best solution but it seems to be the smallest change that
makes it work. It looks like the server doesn't support anything beyond TLS
v1.0; is that cipher supported in TLS v1.1 or TLS v1.2?
--
You are receiving this mail because:
You are on the CC list for the bug.
11:32 a.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #6 from Ben Cotton <bcotton(a)redhat.com> ---
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30 Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '27'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 27 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
--
You are receiving this mail because:
You are on the CC list for the bug.
1:09 p.m.
New subject: [Bug 1532250] perl-Net-SSLeay fails to connect to some SSL servers
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Ben Cotton <bcotton(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |CLOSED
Resolution|--- |EOL
Last Closed| |2018-11-30 14:09:26
--- Comment #7 from Ben Cotton <bcotton(a)redhat.com> ---
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.
Thank you for reporting this bug and we are sorry it could not be fixed.
--
You are receiving this mail because:
You are on the CC list for the bug.
1966
days inactive
2292
days old
perl-devel@lists.fedoraproject.org
7 comments
1 participants
participants (1)
-
bugzilla@redhat.com