Re: start_tls with verify=>none and certificate verify failed error

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Could someone verify this with

  http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz

and send a patch if it needs it. I cannot test anything SSL right now.

Graham.

On Thu, Jul 11, 2002 at 10:10:42AM +0200, Herbert Straub wrote:
> I see in the CVS LDAP.pm V1.33 that the start_tls is modified, but i 
> think, that the parameter handling is nor correct. Please see the 
> details below.
> 
> See also Debian Bug report: #150413. The patch in this report does not 
> put the start_tls Parameter to the socketToSSL Routine. Without the 
> Paramter verify => 'none' i get the error:
> 
> Net::SSLeay::connect Error: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> See details below.
> 
> $ dpkg -l libnet-ldap-perl libio-socket-ssl-perl
> Desired=Unknown/Install/Remove/Purge/Hold
> | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
> |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: 
> uppercase=bad)
> ||/ Name               Version            Description
> +++-==================-==================-==================================================== 
> 
> ii  libnet-ldap-perl   0.25-2             A Client interface to LDAP 
> servers.
> ii  libio-socket-ssl-p 0.81-1             Class implementing an object 
> oriented interface to S
> $
> 
> In my test perl script, the following line returns an error:
> $mesg = $ldap->start_tls (verify => 'none');
> 
> On the LDAP Server in debug mode i can see:
> 
> a:~# slapd  -d 1 -h "ldap:/// ldaps:///"
> [...]
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL3 alert read:fatal:unknown CA
> TLS trace: SSL_accept:failed in SSLv3 read client certificate A
> TLS: can't accept.
> TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca 
> s3_pkt.c:985
> connection_read(10): TLS accept error error=-1 id=0, closing
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> 
> With the this patch on SSL.pm
> # diff -u SSL.pm.orig SSL.pm
> --- SSL.pm.orig Wed Jul  3 10:39:39 2002
> +++ SSL.pm      Wed Jul  3 10:39:45 2002
> @@ -505,6 +505,7 @@
>   my $ssl = $ssl_obj->get_ssl_handle();
>   if ( ($r = Net::SSLeay::connect($ssl)) <= 0 ) { # ssl/s23_clnt.c
>     my $err_str = IO::Socket::SSL::_get_SSL_err_str();
> +    print "Net::SSLeay::connect Error: $err_str\n";
>     return IO::Socket::SSL::_myerror($sock,"socketToSSL(): connect 
> failed");
>   }
> 
> #
> 
> The $mesg = $ldap->start_tls (verify => 'none');
> 
> prints out:
> Net::SSLeay::connect Error: error:14090086:SSL 
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> With the input from 
> http://www.rosat.mpe-garching.mpg.de/mailing-lists/perl-ldap/2002-05/msg00037.html 
> 
> 
> I modified the LDAP.pm:
> 
> # diff -u LDAP.pm.orig LDAP.pm
> --- LDAP.pm.orig        Wed Jul  3 11:03:50 2002
> +++ LDAP.pm     Wed Jul  3 11:04:00 2002
> @@ -790,7 +790,7 @@
>   require Net::LDAPS;
>   $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
>   IO::Socket::SSL::context_init( { 
> Net::LDAPS::SSL_context_init_args($arg) } );
> -  (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 
> 'IO::Socket::SSL', $sock)
> +  (IO::Socket::SSL::socketToSSL($sock,{ 
> Net::LDAPS::SSL_context_init_args($arg) } ))
>     ? $mesg
>     : _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@);
> }
> #
> 
> and the start_tls returns success.
> 
> The TLS Messages from the LDAP:
> 
> TLS trace: SSL_accept:before/accept initialization
> TLS trace: SSL_accept:SSLv3 read client hello A
> TLS trace: SSL_accept:SSLv3 write server hello A
> TLS trace: SSL_accept:SSLv3 write certificate A
> TLS trace: SSL_accept:SSLv3 write server done A
> TLS trace: SSL_accept:SSLv3 flush data
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> TLS trace: SSL_accept:error in SSLv3 read client certificate A
> connection_get(10): got connid=0
> connection_read(10): checking for input on id=0
> TLS trace: SSL_accept:SSLv3 read client key exchange A
> TLS trace: SSL_accept:SSLv3 read finished A
> TLS trace: SSL_accept:SSLv3 write change cipher spec A
> TLS trace: SSL_accept:SSLv3 write finished A
> TLS trace: SSL_accept:SSLv3 flush data
> 
> [...]
> 
> connection_closing: readying conn=0 sd=10 for close
> connection_close: conn=0 sd=10
> TLS trace: SSL3 alert write:warning:close notify
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> PC Mods, Computing goodies, cases & more
> http://thinkgeek.com/sf