Menu
▾
▴
perl-ldap-dev
|
From: Herbert S. <h.s...@ao...> - 2002-07-11 08:18:52
|
I see in the CVS LDAP.pm V1.33 that the start_tls is modified, but i
think, that the parameter handling is nor correct. Please see the
details below.
See also Debian Bug report: #150413. The patch in this report does not
put the start_tls Parameter to the socketToSSL Routine. Without the
Paramter verify => 'none' i get the error:
Net::SSLeay::connect Error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
See details below.
$ dpkg -l libnet-ldap-perl libio-socket-ssl-perl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err:
uppercase=bad)
||/ Name Version Description
+++-==================-==================-====================================================
ii libnet-ldap-perl 0.25-2 A Client interface to LDAP
servers.
ii libio-socket-ssl-p 0.81-1 Class implementing an object
oriented interface to S
$
In my test perl script, the following line returns an error:
$mesg = $ldap->start_tls (verify => 'none');
On the LDAP Server in debug mode i can see:
a:~# slapd -d 1 -h "ldap:/// ldaps:///"
[...]
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL3 alert read:fatal:unknown CA
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
s3_pkt.c:985
connection_read(10): TLS accept error error=-1 id=0, closing
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
With the this patch on SSL.pm
# diff -u SSL.pm.orig SSL.pm
--- SSL.pm.orig Wed Jul 3 10:39:39 2002
+++ SSL.pm Wed Jul 3 10:39:45 2002
@@ -505,6 +505,7 @@
my $ssl = $ssl_obj->get_ssl_handle();
if ( ($r = Net::SSLeay::connect($ssl)) <= 0 ) { # ssl/s23_clnt.c
my $err_str = IO::Socket::SSL::_get_SSL_err_str();
+ print "Net::SSLeay::connect Error: $err_str\n";
return IO::Socket::SSL::_myerror($sock,"socketToSSL(): connect
failed");
}
#
The $mesg = $ldap->start_tls (verify => 'none');
prints out:
Net::SSLeay::connect Error: error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
With the input from
http://www.rosat.mpe-garching.mpg.de/mailing-lists/perl-ldap/2002-05/msg00037.html
I modified the LDAP.pm:
# diff -u LDAP.pm.orig LDAP.pm
--- LDAP.pm.orig Wed Jul 3 11:03:50 2002
+++ LDAP.pm Wed Jul 3 11:04:00 2002
@@ -790,7 +790,7 @@
require Net::LDAPS;
$arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion};
IO::Socket::SSL::context_init( {
Net::LDAPS::SSL_context_init_args($arg) } );
- (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock},
'IO::Socket::SSL', $sock)
+ (IO::Socket::SSL::socketToSSL($sock,{
Net::LDAPS::SSL_context_init_args($arg) } ))
? $mesg
: _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@);
}
#
and the start_tls returns success.
The TLS Messages from the LDAP:
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write server done A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
connection_get(10): got connid=0
connection_read(10): checking for input on id=0
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
[...]
connection_closing: readying conn=0 sd=10 for close
connection_close: conn=0 sd=10
TLS trace: SSL3 alert write:warning:close notify
|
|
From: Graham B. <gb...@po...> - 2002-07-12 14:17:03
|
Could someone verify this with http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz and send a patch if it needs it. I cannot test anything SSL right now. Graham. On Thu, Jul 11, 2002 at 10:10:42AM +0200, Herbert Straub wrote: > I see in the CVS LDAP.pm V1.33 that the start_tls is modified, but i > think, that the parameter handling is nor correct. Please see the > details below. > > See also Debian Bug report: #150413. The patch in this report does not > put the start_tls Parameter to the socketToSSL Routine. Without the > Paramter verify => 'none' i get the error: > > Net::SSLeay::connect Error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > See details below. > > $ dpkg -l libnet-ldap-perl libio-socket-ssl-perl > Desired=Unknown/Install/Remove/Purge/Hold > | Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed > |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: > uppercase=bad) > ||/ Name Version Description > +++-==================-==================-==================================================== > > ii libnet-ldap-perl 0.25-2 A Client interface to LDAP > servers. > ii libio-socket-ssl-p 0.81-1 Class implementing an object > oriented interface to S > $ > > In my test perl script, the following line returns an error: > $mesg = $ldap->start_tls (verify => 'none'); > > On the LDAP Server in debug mode i can see: > > a:~# slapd -d 1 -h "ldap:/// ldaps:///" > [...] > connection_get(10): got connid=0 > connection_read(10): checking for input on id=0 > TLS trace: SSL_accept:before/accept initialization > TLS trace: SSL_accept:SSLv3 read client hello A > TLS trace: SSL_accept:SSLv3 write server hello A > TLS trace: SSL_accept:SSLv3 write certificate A > TLS trace: SSL_accept:SSLv3 write server done A > TLS trace: SSL_accept:SSLv3 flush data > TLS trace: SSL_accept:error in SSLv3 read client certificate A > TLS trace: SSL_accept:error in SSLv3 read client certificate A > connection_get(10): got connid=0 > connection_read(10): checking for input on id=0 > TLS trace: SSL3 alert read:fatal:unknown CA > TLS trace: SSL_accept:failed in SSLv3 read client certificate A > TLS: can't accept. > TLS: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca > s3_pkt.c:985 > connection_read(10): TLS accept error error=-1 id=0, closing > connection_closing: readying conn=0 sd=10 for close > connection_close: conn=0 sd=10 > > With the this patch on SSL.pm > # diff -u SSL.pm.orig SSL.pm > --- SSL.pm.orig Wed Jul 3 10:39:39 2002 > +++ SSL.pm Wed Jul 3 10:39:45 2002 > @@ -505,6 +505,7 @@ > my $ssl = $ssl_obj->get_ssl_handle(); > if ( ($r = Net::SSLeay::connect($ssl)) <= 0 ) { # ssl/s23_clnt.c > my $err_str = IO::Socket::SSL::_get_SSL_err_str(); > + print "Net::SSLeay::connect Error: $err_str\n"; > return IO::Socket::SSL::_myerror($sock,"socketToSSL(): connect > failed"); > } > > # > > The $mesg = $ldap->start_tls (verify => 'none'); > > prints out: > Net::SSLeay::connect Error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > With the input from > http://www.rosat.mpe-garching.mpg.de/mailing-lists/perl-ldap/2002-05/msg00037.html > > > I modified the LDAP.pm: > > # diff -u LDAP.pm.orig LDAP.pm > --- LDAP.pm.orig Wed Jul 3 11:03:50 2002 > +++ LDAP.pm Wed Jul 3 11:04:00 2002 > @@ -790,7 +790,7 @@ > require Net::LDAPS; > $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; > IO::Socket::SSL::context_init( { > Net::LDAPS::SSL_context_init_args($arg) } ); > - (IO::Socket::SSL::socketToSSL($sock) and tie *{$sock}, > 'IO::Socket::SSL', $sock) > + (IO::Socket::SSL::socketToSSL($sock,{ > Net::LDAPS::SSL_context_init_args($arg) } )) > ? $mesg > : _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@); > } > # > > and the start_tls returns success. > > The TLS Messages from the LDAP: > > TLS trace: SSL_accept:before/accept initialization > TLS trace: SSL_accept:SSLv3 read client hello A > TLS trace: SSL_accept:SSLv3 write server hello A > TLS trace: SSL_accept:SSLv3 write certificate A > TLS trace: SSL_accept:SSLv3 write server done A > TLS trace: SSL_accept:SSLv3 flush data > TLS trace: SSL_accept:error in SSLv3 read client certificate A > TLS trace: SSL_accept:error in SSLv3 read client certificate A > connection_get(10): got connid=0 > connection_read(10): checking for input on id=0 > TLS trace: SSL_accept:SSLv3 read client key exchange A > TLS trace: SSL_accept:SSLv3 read finished A > TLS trace: SSL_accept:SSLv3 write change cipher spec A > TLS trace: SSL_accept:SSLv3 write finished A > TLS trace: SSL_accept:SSLv3 flush data > > [...] > > connection_closing: readying conn=0 sd=10 for close > connection_close: conn=0 sd=10 > TLS trace: SSL3 alert write:warning:close notify > > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > PC Mods, Computing goodies, cases & more > http://thinkgeek.com/sf |
|
From: Herbert S. <h.s...@ao...> - 2002-07-15 22:16:15
Attachments:
ldap-start-tls.patch
|
Graham Barr wrote: >Could someone verify this with > > http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz > >and send a patch if it needs it. I cannot test anything SSL right now. > >Graham. > > With the version from your URL i get the same error with start_tls: Net::SSLeay::connect Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed start_tls returns: 1 Operations error With my attached patch, the start_tls returns success and the connection are established. Now, if i call start_tls with the argument verify => 'require' then i get the same error as i descriped above (that is correct). I think, the problem is with the Option Arguments wich are passed from the start_tls routine to the IO::Socket::SSL::socketToSSL routine. With my patch, the Arguments are passed to socketToSSL routine, without this patch, it seems that the Options are lost. In the ChangeLog of IO-Socket-SSL v0.81 i found the following two points: - calling context_init twice destroyed global context. fix from Jason Heiss <jh...@of...>. - socketToSSL() now respects context's SSL verify setting reported by Uri Guttman <ur...@st...>. The difference of SSL.pm v.80 - v.81 shows: # ***** socketToSSL # support for startTLS. sub socketToSSL { my $sock = shift; + my $args = shift || {}; my $r; if(!$sock) { croak 'usage: IO::Socket::SSL::socketToSSL(socket)'; } + _preBlessInitAttrs($sock, fileno($sock)); # transform IO::Socket::INET to IO::Socket::SSL. # create an SSL object. my $ssl_obj; - if( ! ($ssl_obj = SSL_SSL->new($sock, {})) ) { - return undef; # can't create SSL_SSL. + if( ! ($ssl_obj = SSL_SSL->new($sock, $args)) ) { + my $err_str = IO::Socket::SSL::_get_SSL_err_str(); + return IO::Socket::SSL::_myerror($sock, "socketToSSL(): " . + "unable to create SSL object"); } It looks like, that the call of context_init in LDAP.pm::start_tls is useless for the socketToSSL routine: IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) } ); IO::Socket::SSL::socketToSSL($sock, {Net::LDAPS::SSL_context_init_args($arg)}) I don't know if the first line is for the operation of start_tls obsolet, or if it is required on another point? Herbert |
|
From: Graham B. <gb...@po...> - 2002-07-15 23:06:44
|
Thanks, I have applied the patch to CVS Graham. On Tue, Jul 16, 2002 at 12:07:33AM +0200, Herbert Straub wrote: > Graham Barr wrote: > > >Could someone verify this with > > > > http://monty.mutatus.co.uk/~gbarr/perl-ldap-0.25_03.tar.gz > > > >and send a patch if it needs it. I cannot test anything SSL right now. > > > >Graham. > > > > > With the version from your URL i get the same error with start_tls: > > Net::SSLeay::connect Error: error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > start_tls returns: 1 Operations error > > With my attached patch, the start_tls returns success and the connection > are established. Now, if i call start_tls with the argument verify => > 'require' then i get the same error as i descriped above (that is correct). > > I think, the problem is with the Option Arguments wich are passed from > the start_tls routine to the IO::Socket::SSL::socketToSSL routine. With > my patch, the Arguments are passed to socketToSSL routine, without this > patch, it seems that the Options are lost. In the ChangeLog of > IO-Socket-SSL v0.81 i found the following two points: > > - calling context_init twice destroyed global context. fix from > Jason Heiss <jh...@of...>. > - socketToSSL() now respects context's SSL verify setting > reported by Uri Guttman <ur...@st...>. > > The difference of SSL.pm v.80 - v.81 shows: > > # ***** socketToSSL > > # support for startTLS. > sub socketToSSL { > my $sock = shift; > + my $args = shift || {}; > my $r; > > if(!$sock) { > croak 'usage: IO::Socket::SSL::socketToSSL(socket)'; > } > + _preBlessInitAttrs($sock, fileno($sock)); > > # transform IO::Socket::INET to IO::Socket::SSL. > > # create an SSL object. > my $ssl_obj; > - if( ! ($ssl_obj = SSL_SSL->new($sock, {})) ) { > - return undef; # can't create SSL_SSL. > + if( ! ($ssl_obj = SSL_SSL->new($sock, $args)) ) { > + my $err_str = IO::Socket::SSL::_get_SSL_err_str(); > + return IO::Socket::SSL::_myerror($sock, "socketToSSL(): " . > + "unable to create SSL object"); > } > > It looks like, that the call of context_init in LDAP.pm::start_tls is > useless for the socketToSSL routine: > > IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) > } ); > IO::Socket::SSL::socketToSSL($sock, > {Net::LDAPS::SSL_context_init_args($arg)}) > > I don't know if the first line is for the operation of start_tls > obsolet, or if it is required on another point? > > > Herbert > --- LDAP.pm.ORIG Mon Jul 15 07:02:29 2002 > +++ LDAP.pm Mon Jul 15 07:04:17 2002 > @@ -808,7 +808,7 @@ > require Net::LDAPS; > $arg->{sslversion} = 'tlsv1' unless defined $arg->{sslversion}; > IO::Socket::SSL::context_init( { Net::LDAPS::SSL_context_init_args($arg) } ); > - IO::Socket::SSL::socketToSSL($sock) > + IO::Socket::SSL::socketToSSL($sock, {Net::LDAPS::SSL_context_init_args($arg)}) > ? $mesg > : _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $@); > } |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X