start_tls with verify=>none and certificate verify failed error

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I see in the CVS LDAP.pm V1.33 that the start_tls is modified, but i 
think, that the parameter handling is nor correct. Please see the 
details below.

See also Debian Bug report: #150413. The patch in this report does not 
put the start_tls Parameter to the socketToSSL Routine. Without the 
Paramter verify => 'none' i get the error:

Net::SSLeay::connect Error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

See details below.

$ dpkg -l libnet-ldap-perl libio-socket-ssl-perl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: 
uppercase=bad)
||/ Name               Version            Description
+++-==================-==================-==================================================== 

ii  libnet-ldap-perl   0.25-2             A Client interface to LDAP 
servers.
ii  libio-socket-ssl-p 0.81-1             Class implementing an object 
oriented interface to S
$

In my test perl script, the following line returns an error:
$mesg = $ldap->start_tls (verify => 'none');

On the LDAP Server in debug mode i can see:

a:~# slapd  -d 1 -h "ldap:/// ldaps:///"
[...]
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
s3_pkt.c:985
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10

With the this patch on SSL.pm
# diff -u SSL.pm.orig SSL.pm

--- SSL.pm.orig Wed Jul  3 10:39:39 2002
+++ SSL.pm      Wed Jul  3 10:39:45 2002
@@ -505,6 +505,7 @@
  my $ssl = $ssl_obj->get_ssl_handle();
  if ( ($r = Net::SSLeay::connect($ssl)) <= 0 ) { # ssl/s23_clnt.c
    my $err_str = IO::Socket::SSL::_get_SSL_err_str();
+    print "Net::SSLeay::connect Error: $err_str\n";
    return IO::Socket::SSL::_myerror($sock,"socketToSSL(): connect 
failed");
  }

#

The $mesg = $ldap->start_tls (verify => 'none');

prints out:
Net::SSLeay::connect Error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

With the input from 
http://www.rosat.mpe-garching.mpg.de/mailing-lists/perl-ldap/2002-05/msg00037.html 


I modified the LDAP.pm:

# diff -u LDAP.pm.orig LDAP.pm
--- LDAP.pm.orig        Wed Jul  3 11:03:50 2002
+++ LDAP.pm     Wed Jul  3 11:04:00 2002
@@ -790,7 +790,7 @@
  require Net::LDAPS;
  $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
  IO::Socket::SSL::context_init( { 
Net::LDAPS::SSL_context_init_args($arg) } );
-  (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 
'IO::Socket::SSL', $sock)
+  (IO::Socket::SSL::socketToSSL($sock,{ 
Net::LDAPS::SSL_context_init_args($arg) } ))
    ? $mesg
    : _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@);
}
#

and the start_tls returns success.

The TLS Messages from the LDAP:

TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data

[...]

connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
TLS trace: SSL3 alert write:warning:close notify




