Menu
▾
▴
Re: start_tls with verify=>none and certificate verify failed error
|
From: Herbert S. <h.s...@ao...> - 2002-07-15 22:16:15
|
Graham Barr wrote: >Could someone verify this with > > http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz > >and send a patch if it needs it. I cannot test anything SSL right now. > >Graham. > > With the version from your URL i get the same error with start_tls: Net::SSLeay::connect Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed start_tls returns: 1 Operations error With my attached patch, the start_tls returns success and the connection are established. Now, if i call start_tls with the argument verify => 'require' then i get the same error as i descriped above (that is correct). I think, the problem is with the Option Arguments wich are passed from the start_tls routine to the IO::Socket::SSL::socketToSSL routine. With my patch, the Arguments are passed to socketToSSL routine, without this patch, it seems that the Options are lost. In the ChangeLog of IO-Socket-SSL v0.81 i found the following two points: - calling context_init twice destroyed global context. fix from Jason Heiss <jh...@of...>. - socketToSSL() now respects context's SSL verify setting reported by Uri Guttman <ur...@st...>. The difference of SSL.pm v.80 - v.81 shows: # ***** socketToSSL # support for startTLS. sub socketToSSL { my $sock = shift; + my $args = shift || {}; my $r; if(!$sock) { croak 'usage: IO::Socket::SSL::socketToSSL(socket)'; } + _preBlessInitAttrs($sock, fileno($sock)); # transform IO::Socket::INET to IO::Socket::SSL. # create an SSL object. my $ssl_obj; - if( ! ($ssl_obj = SSL_SSL->new($sock, {})) ) { - return undef; # can't create SSL_SSL. + if( ! ($ssl_obj = SSL_SSL->new($sock, $args)) ) { + my $err_str = IO::Socket::SSL::_get_SSL_err_str(); + return IO::Socket::SSL::_myerror($sock, "socketToSSL(): " . + "unable to create SSL object"); } It looks like, that the call of context_init in LDAP.pm::start_tls is useless for the socketToSSL routine: IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) } ); IO::Socket::SSL::socketToSSL($sock, {Net::LDAPS::SSL_context_init_args($arg)}) I don't know if the first line is for the operation of start_tls obsolet, or if it is required on another point? Herbert |
