Re: Linux 2.2.14-5.0smp/RH 6.2/Perl 5.005_03 Net::LDAPS trouble

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Jeremy Anderson <je...@az...> wrote:
> This isn't REALLY a Net::LDAP problem (the problem is down in
> IO::Socket::SSL and SSLeay), but the support for these modules seems to be
> near-zero, and I figure that someone who's working on Net::LDAP should
> have seen this before.

Yeah, the SSLeay and IO::Socket::SSL modules are a bit "fragile", and I had
some problems in getting them working properly when writing Net::LDAPS.

Looking at my installation, I've got IO::Socket::SSL version 0.73,
Net::SSLeay version 1.05, and I built with OpenSSL 0.9.4. I'm running on
the same version of perl but on RedHat 6.1. There's only a single CPU in my
laptop though!

I mean to look at getting the 'current' versions of all these bits of code
working properly...

> t/fh-test...........Use of uninitialized value at blib/lib/Net/SSLeay.pm
> (autosplit into blib/lib/auto/Net/SSLeay/randomize.al) line 1159. Use of
> uninitialized value at blib/lib/Net/SSLeay.pm (autosplit into

All those warnings are 'normal' with SSLeay.pm and documented by the author
of that module (or maybe the IO::Socket::SSL module, I forget.)  The best
way around it I've found is to initialize IO::Socket::SSL and Net::SSLeay
with warnings turned off and 'no strict'. Here's what I wrote in the LDAPS
pod:

           BEGIN {
               # Turn off all warnings etc whilst initializing
               # IO::Socket::SSL and Net::SSLeay.
               local $^W = 0;
               no strict;
               require Net::SSLeay;
               # The /dev/urandom is a device on Linux that returns
               # random data.
               Net::SSLeay::randomize('/dev/urandom');
               require Net::LDAPS;
           }

Hideous, huh?

> Has anyone seen this problem before?  Is there a workaround?  I have seen
> some mention on the mailing list about StartTLS (which seems to be another
> way of getting from a to b), but I'm not clear as to how to code
> for this.  Both the documentation and the Net::LDAP code seem to be mute
> on the subject.

StartTLS is an extended LDAP request (RFC 2830) which lets you take a
normal 'plaintext' LDAP connection and switch it into a TLS connection on
the fly (ie without closing and reopening a socket.) Pretty cool, and it is
the IETF-recommended way of using a confidential connection with LDAP.

Net::LDAP doesn't support it yet as I cannot work out how to switch an
existing IO::Socket::INET into an IO::Socket::SSL. If someone can work that
out, adding StartTLS support will be relatively straightforward.

(One issue for adding that support is that the IO code in Net::LDAP needs
abstracting, as IO::Socket::SSL doesn't support all the methods that normal
sockets support. Maybe this means that IO::Socket::SSL needs fixing, but
abstracting Net::LDAP's IO is still sensible so it can support CLDAP. I
worry that this extra bit of abstraction will slow Net::LDAP down though.)

Looks like I've got some work to do!

Cheers,

Chris