Menu
▾
▴
Re: start_tls with verify=>none and certificate verify failed error
|
From: Graham B. <gb...@po...> - 2002-07-15 23:06:44
|
Thanks, I have applied the patch to CVS Graham. On Tue, Jul 16, 2002 at 12:07:33AM +0200, Herbert Straub wrote: > Graham Barr wrote: > > >Could someone verify this with > > > > http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz > > > >and send a patch if it needs it. I cannot test anything SSL right now. > > > >Graham. > > > > > With the version from your URL i get the same error with start_tls: > > Net::SSLeay::connect Error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > start_tls returns: 1 Operations error > > With my attached patch, the start_tls returns success and the connection > are established. Now, if i call start_tls with the argument verify => > 'require' then i get the same error as i descriped above (that is correct). > > I think, the problem is with the Option Arguments wich are passed from > the start_tls routine to the IO::Socket::SSL::socketToSSL routine. With > my patch, the Arguments are passed to socketToSSL routine, without this > patch, it seems that the Options are lost. In the ChangeLog of > IO-Socket-SSL v0.81 i found the following two points: > > - calling context_init twice destroyed global context. fix from > Jason Heiss <jh...@of...>. > - socketToSSL() now respects context's SSL verify setting > reported by Uri Guttman <ur...@st...>. > > The difference of SSL.pm v.80 - v.81 shows: > > # ***** socketToSSL > > # support for startTLS. > sub socketToSSL { > my $sock = shift; > + my $args = shift || {}; > my $r; > > if(!$sock) { > croak 'usage: IO::Socket::SSL::socketToSSL(socket)'; > } > + _preBlessInitAttrs($sock, fileno($sock)); > > # transform IO::Socket::INET to IO::Socket::SSL. > > # create an SSL object. > my $ssl_obj; > - if( ! ($ssl_obj = SSL_SSL->new($sock, {})) ) { > - return undef; # can't create SSL_SSL. > + if( ! ($ssl_obj = SSL_SSL->new($sock, $args)) ) { > + my $err_str = IO::Socket::SSL::_get_SSL_err_str(); > + return IO::Socket::SSL::_myerror($sock, "socketToSSL(): " . > + "unable to create SSL object"); > } > > It looks like, that the call of context_init in LDAP.pm::start_tls is > useless for the socketToSSL routine: > > IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) > } ); > IO::Socket::SSL::socketToSSL($sock, > {Net::LDAPS::SSL_context_init_args($arg)}) > > I don't know if the first line is for the operation of start_tls > obsolet, or if it is required on another point? > > > Herbert > --- LDAP.pm.ORIG Mon Jul 15 07:02:29 2002 > +++ LDAP.pm Mon Jul 15 07:04:17 2002 > @@ -808,7 +808,7 @@ > require Net::LDAPS; > $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; > IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) } ); > - IO::Socket::SSL::socketToSSL($sock) > + IO::Socket::SSL::socketToSSL($sock, {Net::LDAPS::SSL_context_init_args($arg)}) > ? $mesg > : _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@); > } |
