Menu
▾
▴
perl-ldap-dev
|
From: Ewa S. <Ewa...@un...> - 2002-05-10 08:06:14
|
Hello,
Thanks for your answer.
I have corecct PEM certificate (I've generated new ones) and key without
passphrase. I've change parameters for start_tls function from
start_tls(verify => 'none, "sslversion => sslv3")
to
start_tls( verify => "optional",
sslversion => "sslv3",
cafile => "/usr/local/openldap2/etc/openldap/cacert.pem");
And my program result was changed. Now I get following error:
Can't locate object method "TIEHANDLE" via package "IO::Socket::SSL" at
/usr/lib/perl5/site_perl/5.6.0/Net/LDAP.pm line 793.
Now in my slapd's log I' not found errors like "bad certificate" , it
seems that everything was correct but was stopped , because of (I think)
this "TIEHANDLE" error above.
How can I correct this, I checked that TIEHANDLE method is implemented in
IO::Socket::SSL package so what do I have to do?
I will be grateful for any help.
Eva.
> >
> > It looks like the problem may be the format of the files containing your
> > client certificate and key.
> >
> > Someone else recently was doing client auth with TLS and got it working,
> > but since I can't find their messages these are guesses:
> >
> > 1) make sure your cert and key are both in PEM format. OpenSSL has some
> > utilities to convert things into PEM format.
> >
> > 2) the private key has got to be unencrypted, because of the way Net::LDAP
> > uses the SSL code. (We should fix that by eg having a callback argument on
> > the SSL connect which returns the passphrase for the key. Doesn't look
> > hard..)
> >
> > Cheers,
> >
> > Chris
> >
>
>
|
|
From: Ewa S. <Ewa...@un...> - 2002-05-10 13:13:17
|
Hi,
I found the reason why I couldn't use start_tls function in my
programms. I have used IO::Socket::SSL v.0.81 package and in this
socketToSSL function differ from this in v.0.80 this package. Difference
is in result of this method. In version 0.81 aren't implemented TIEHANDLE
method ,because socketToSSL has implemented association with
IO::Socket::SSL and using
tie *{$sock}, 'IO::Socket::SSL', $sock
in Net::LDAP::start_tls function couses an error.
To use latest version of IO::Socket::SSL is possible to change
following line of start_tls function od Net::LDAP package
from this:
(IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL', $sock)
to this
IO::Socket::SSL::socketToSSL($sock)
I am not sure that everything will be OK, my programms work correctlly,
better for now (in my opinion) is to use 0.80 version of IO::Socket::SSL
package. When I use IO::Socket::SSL v0.80 I have successfully TLS
connection.
It seems that perl-ldap packages are implemented for IO::Socket::SSL
v.0.80, not for the newer 0.81 version.
Are you going to make changes in Net::LDAP to take into consideration the
latest version of IO::Socket::SSL package?
Sincerely
Eva
On Fri, 10 May 2002, Ewa Skrenty wrote:
>
> Hello,
>
> Thanks for your answer.
>
> I have corecct PEM certificate (I've generated new ones) and key without
> passphrase. I've change parameters for start_tls function from
>
> start_tls(verify => 'none, "sslversion => sslv3")
>
> to
>
> start_tls( verify => "optional",
> sslversion => "sslv3",
> cafile => "/usr/local/openldap2/etc/openldap/cacert.pem");
>
> And my program result was changed. Now I get following error:
>
> Can't locate object method "TIEHANDLE" via package "IO::Socket::SSL" at
> /usr/lib/perl5/site_perl/5.6.0/Net/LDAP.pm line 793.
>
> Now in my slapd's log I' not found errors like "bad certificate" , it
> seems that everything was correct but was stopped , because of (I think)
> this "TIEHANDLE" error above.
>
> How can I correct this, I checked that TIEHANDLE method is implemented in
> IO::Socket::SSL package so what do I have to do?
>
> I will be grateful for any help.
>
> Eva.
>
> > >
> > > It looks like the problem may be the format of the files containing your
> > > client certificate and key.
> > >
> > > Someone else recently was doing client auth with TLS and got it working,
> > > but since I can't find their messages these are guesses:
> > >
> > > 1) make sure your cert and key are both in PEM format. OpenSSL has some
> > > utilities to convert things into PEM format.
> > >
> > > 2) the private key has got to be unencrypted, because of the way Net::LDAP
> > > uses the SSL code. (We should fix that by eg having a callback argument on
> > > the SSL connect which returns the passphrase for the key. Doesn't look
> > > hard..)
> > >
> > > Cheers,
> > >
> > > Chris
> > >
> >
> >
>
>
|
|
From: Chris R. <chr...@me...> - 2002-05-10 13:31:27
|
Ewa Skrenty <Ewa...@un...> wrote:
> Hi,
> I found the reason why I couldn't use start_tls function in my
> programms. I have used IO::Socket::SSL v.0.81 package and in this
> socketToSSL function differ from this in v.0.80 this package. Difference
> is in result of this method. In version 0.81 aren't implemented TIEHANDLE
> method ,because socketToSSL has implemented association with
> IO::Socket::SSL and using
>
> tie *{$sock}, 'IO::Socket::SSL', $sock
>
> in Net::LDAP::start_tls function couses an error.
Yes, that would explain it.
> To use latest version of IO::Socket::SSL is possible to change
> following line of start_tls function od Net::LDAP package
> from this:
>
> (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL',
> $sock)
>
> to this
>
> IO::Socket::SSL::socketToSSL($sock)
If I recall (Graham?) the 'and tie ...' was to avoid a bug in
IO::Socket::SSL::socketToSSL. I guess that bug workaround could go, but
then there would need to be a test in the Makefile.PL for a specific (ie >=
0.81) version of IO::Socket::SSL.
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2002-05-28 08:21:48
|
On Fri, May 10, 2002 at 02:32:07PM +0100, Chris Ridd wrote:
> > To use latest version of IO::Socket::SSL is possible to change
> > following line of start_tls function od Net::LDAP package
> > from this:
> >
> > (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL',
> > $sock)
> >
> > to this
> >
> > IO::Socket::SSL::socketToSSL($sock)
>
> If I recall (Graham?) the 'and tie ...' was to avoid a bug in
> IO::Socket::SSL::socketToSSL. I guess that bug workaround could go, but
> then there would need to be a test in the Makefile.PL for a specific (ie >=
> 0.81) version of IO::Socket::SSL.
Yes.
Graham.
|
|
From: Chris R. <chr...@me...> - 2002-05-28 09:24:42
|
On 28/5/02 9:20 am, Graham Barr <gb...@po...> wrote:
> On Fri, May 10, 2002 at 02:32:07PM +0100, Chris Ridd wrote:
>>> To use latest version of IO::Socket::SSL is possible to change
>>> following line of start_tls function od Net::LDAP package
>>> from this:
>>>
>>> (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL',
>>> $sock)
>>>
>>> to this
>>>
>>> IO::Socket::SSL::socketToSSL($sock)
>>
>> If I recall (Graham?) the 'and tie ...' was to avoid a bug in
>> IO::Socket::SSL::socketToSSL. I guess that bug workaround could go, but
>> then there would need to be a test in the Makefile.PL for a specific (ie >=
>> 0.81) version of IO::Socket::SSL.
>
> Yes.
I committed a fix for that (removed the 'and tie...' and tweaked the
Makefile.PL to check for the IO::Socket version) last week, so hopefully it
made it into the interim 0.251 release. Julian Onions also noticed a
regression in the start_tls method, and I've committed his fix for that.
Since we're talking about SSL...
Someone here (I can't remember who) was asking if we could use encrypted
private key files in client SSL authentication - we couldn't because there
was no support for it in IO::Socket::SSL and Net::SSLeay.
I've since sent some changes to the authors of the IO::Socket::SSL and
Net::SSLeay modules that allow for this, so there'll be another minor change
coming to expose that functionality in LDAPS/start_tls. I could probably
commit those changes now, except they'd have zero effect until revised
IO::Socket::SSL and Net:: SSLeay libraries came out.. Any preferences,
Graham?
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2002-05-28 09:30:24
|
On Tue, May 28, 2002 at 10:24:16AM +0100, Chris Ridd wrote:
> On 28/5/02 9:20 am, Graham Barr <gb...@po...> wrote:
>
> > On Fri, May 10, 2002 at 02:32:07PM +0100, Chris Ridd wrote:
> >>> To use latest version of IO::Socket::SSL is possible to change
> >>> following line of start_tls function od Net::LDAP package
> >>> from this:
> >>>
> >>> (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, 'IO::Socket::SSL',
> >>> $sock)
> >>>
> >>> to this
> >>>
> >>> IO::Socket::SSL::socketToSSL($sock)
> >>
> >> If I recall (Graham?) the 'and tie ...' was to avoid a bug in
> >> IO::Socket::SSL::socketToSSL. I guess that bug workaround could go, but
> >> then there would need to be a test in the Makefile.PL for a specific (ie >=
> >> 0.81) version of IO::Socket::SSL.
> >
> > Yes.
>
> I committed a fix for that (removed the 'and tie...' and tweaked the
> Makefile.PL to check for the IO::Socket version) last week, so hopefully it
> made it into the interim 0.251 release. Julian Onions also noticed a
> regression in the start_tls method, and I've committed his fix for that.
It was not in 0.251, That release contained ONLY the changes for Authen::SASL
> Since we're talking about SSL...
>
> Someone here (I can't remember who) was asking if we could use encrypted
> private key files in client SSL authentication - we couldn't because there
> was no support for it in IO::Socket::SSL and Net::SSLeay.
>
> I've since sent some changes to the authors of the IO::Socket::SSL and
> Net::SSLeay modules that allow for this, so there'll be another minor change
> coming to expose that functionality in LDAPS/start_tls. I could probably
> commit those changes now, except they'd have zero effect until revised
> IO::Socket::SSL and Net:: SSLeay libraries came out.. Any preferences,
> Graham?
Sounds good to me.
Graham.
|
|
From: Chris R. <chr...@me...> - 2002-05-28 11:26:23
|
Graham Barr <gb...@po...> wrote: >> I've since sent some changes to the authors of the IO::Socket::SSL and >> Net::SSLeay modules that allow for this, so there'll be another minor >> change coming to expose that functionality in LDAPS/start_tls. I could >> probably commit those changes now, except they'd have zero effect until >> revised IO::Socket::SSL and Net:: SSLeay libraries came out.. Any >> preferences, Graham? > > Sounds good to me. Done. Cheers, Chris |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X