https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Bug ID: 1532250 Summary: perl-Net-SSLeay fails to connect to some SSL servers Product: Fedora Version: 27 Component: perl-Net-SSLeay Assignee: paul@city-fan.org Reporter: mal@gromco.com QA Contact: extras-qa@fedoraproject.org CC: jose.p.oliveira.oss@gmail.com, kasal@ucw.cz, paul@city-fan.org, perl-devel@lists.fedoraproject.org
In F26 F27 compiled perl-Net-SSLeay-1.82-1.fc26.x86_64 fails to connect to some SSL servers, , but to the other can connect OK Below is a test case and two examples. www.google.com perl-Net-SSLeay connects OK www.halstead.com perl-Net-SSLeay fails. Code example xu.pl is below.
This works OK perl -w xu.pl 'www.google.com' And this one fails, and without any meaningful diag perl -w xu.pl www.halstead.com
P.S. strange thing that this works OK my($page) = Net::SSLeay::get_https('www.halstead.com', 443, '/');
------- sample code xu.pl ---- use strict; require Net::SSLeay; require IO::Socket::SSL; #require IO::Socket::SSL qw(debug9);
$Net::SSLeay::trace = 3; $Net::SSLeay::linux_debug =3 ; # simple client my $cl = IO::Socket::SSL->new($ARGV[0].":443");
print{*STDERR} "CL=",$cl,"\n"; print $cl "GET / HTTP/1.0\r\n\r\n"; print <$cl>; ----- end sample code -------------
This works OK perl -w xu.pl 'www.google.com' And this one fails, and without any Net::SSLeay diag, only SSL.pm perl -w xu.pl www.halstead.com Name "Net::SSLeay::trace" used only once: possible typo at xu.pl line 6. Name "Net::SSLeay::linux_debug" used only once: possible typo at xu.pl line 7. DEBUG: .../IO/Socket/SSL.pm:2764: new ctx 24108480 DEBUG: .../IO/Socket/SSL.pm:616: socket not yet connected DEBUG: .../IO/Socket/SSL.pm:618: socket connected DEBUG: .../IO/Socket/SSL.pm:641: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:674: using SNI with hostname www.halstead.com DEBUG: .../IO/Socket/SSL.pm:709: request OCSP stapling DEBUG: .../IO/Socket/SSL.pm:743: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:746: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed DEBUG: ...erl5/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed' DEBUG: .../IO/Socket/SSL.pm:2786: free ctx 24108480 open=24108480 DEBUG: .../IO/Socket/SSL.pm:2790: free ctx 24108480 callback DEBUG: .../IO/Socket/SSL.pm:2797: OK free ctx 24108480 CL=Use of uninitialized value $cl in print at xu.pl line 11.
Can't use an undefined value as a symbol reference at xu.pl line 12.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #1 from Paul Howarth paul@city-fan.org --- The problem here is that the target server doesn't support newer SSL protocols/ciphers, and the ones it does support are below the standard required by the system-wide crypto policy (see https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented in Fedora's perl-IO-Socket-SSL package (this is why your use of raw Net::SSLeay works, and IO::Socket::SSL doesn't).
I can make it work by changing the IO::Socket::SSL->new() invocation to this:
my $cl = IO::Socket::SSL->new( PeerHost => $ARGV[0], PeerPort => 'https', SSL_cipher_list => 'DES-CBC3-SHA' );
A useful debugging tool for this is analyze-ssl.pl, which you can get from https://github.com/noxxi/p5-ssl-tools (this is from the upstream maintainer of IO::Socket::SSL).
Example output: $ perl analyze-ssl.pl www.halstead.com:443 -- www.halstead.com port 443 ! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority' ! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority' * maximum SSL version : TLSv1 (SSLv23) * supported SSL versions with handshake used and preferred cipher(s): * handshake protocols ciphers * SSLv23 TLSv1 DES-CBC3-SHA * TLSv1_2 FAILED: SSL connect attempt failed error:1417110A:SSL routines:tls_process_server_hello:wrong ssl version SSL connect attempt failed * TLSv1_1 FAILED: SSL connect attempt failed error:1417110A:SSL routines:tls_process_server_hello:wrong ssl version * TLSv1 TLSv1 DES-CBC3-SHA * SSLv3 SSLv3 DES-CBC3-SHA * cipher order by : unknown * SNI supported : ok * certificate verified : ok * chain on 209.173.134.149 * [0/0] bits=2048, ocsp_uri=http://ocsp.netsolssl.com, /C=US/postalCode=10065/ST=NY/L=New York/street=770 Lexington Ave/O=Halstead Property/OU=Web/OU=Secure Link SSL Wildcard/CN=*.halstead.com SAN=DNS:*.halstead.com,DNS:halstead.com * [1/1] bits=2048, ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server CA 2 * [2/-] bits=4096, ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority * [-/2] bits=4096, ocsp_uri=, /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority * OCSP stapling : no stapled response * OCSP status : good (soft error: http://ocsp.usertrust.com: OCSP response failed: internalerror; subject: /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server CA 2; /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Au thority)
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #2 from Need Real Name mal@gromco.com --- Thank you, Paul. I will fix the script with the SSL_cipher_list => 'DES-CBC3-SHA' that you recommended, I have no control over the site www.halstead.com
My bug report was mostly about perl-Net-SSLeay cryptic error message:
DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed
I think that perl-Net-SSLeay can be much improved by making better SSL error messages.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #3 from Paul Howarth paul@city-fan.org --- Requests for enhancements to Net::SSLeay's error messages would be best off directed to the upstream maintainer. The documentation suggests https://alioth.debian.org/projects/net-ssleay but https://rt.cpan.org/Public/Dist/Display.html?Name=net-ssleay would probably work too.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Petr Pisar ppisar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ppisar@redhat.com
--- Comment #4 from Petr Pisar ppisar@redhat.com --- (In reply to Paul Howarth from comment #1)
The problem here is that the target server doesn't support newer SSL protocols/ciphers, and the ones it does support are below the standard required by the system-wide crypto policy (see https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented in Fedora's perl-IO-Socket-SSL package (this is why your use of raw Net::SSLeay works, and IO::Socket::SSL doesn't).
I can make it work by changing the IO::Socket::SSL->new() invocation to this:
my $cl = IO::Socket::SSL->new( PeerHost => $ARGV[0], PeerPort => 'https', SSL_cipher_list => 'DES-CBC3-SHA' );
I'm not sure. "openssl s_client -connect www.halstead.com:443" works. And DES-CBC3-SHA has not yet been disabled in the global cryptopolicy https://bugzilla.redhat.com/show_bug.cgi?id=1487607#c6.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #5 from Paul Howarth paul@city-fan.org --- I'm not sure it's the best solution but it seems to be the smallest change that makes it work. It looks like the server doesn't support anything beyond TLS v1.0; is that cipher supported in TLS v1.1 or TLS v1.2?
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
--- Comment #6 from Ben Cotton bcotton@redhat.com --- This message is a reminder that Fedora 27 is nearing its end of life. On 2018-Nov-30 Fedora will stop maintaining and issuing updates for Fedora 27. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '27'.
Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version.
Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 27 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above.
Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
https://bugzilla.redhat.com/show_bug.cgi?id=1532250
Ben Cotton bcotton@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL Last Closed| |2018-11-30 14:09:26
--- Comment #7 from Ben Cotton bcotton@redhat.com --- Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug.
Thank you for reporting this bug and we are sorry it could not be fixed.
perl-devel@lists.fedoraproject.org