Bug#848346: libnet-ssleay-perl: certificate verify fails
Niko Tyni
ntyni at debian.org
Fri Dec 16 22:28:22 UTC 2016
Control: reassign -1 libio-socket-ssl-perl
Control: severity -1 serious
On Fri, Dec 16, 2016 at 02:53:29PM +0100, Aldus wrote:
> Package: libnet-ssleay-perl
> Version: 1.78-1+b1
> Severity: important
> libnet-ssleay-perl was broken by the upgrade from 1.78-1 to 1.78-1+b1.
>
> In order to check for unread mail on remote servers (googlemail and
> others), I use a script including the following lines:
>
> my $socket = IO::Socket::SSL->new(
> PeerAddr => 'imap.googlemail.com',
> PeerPort => 993
> )
> or die "socket(): $@";
>
> This worked until yesterday. After upgrading libnet-ssleay-perl to
> 1.78-1+b1, the script returns the error message:
>
> socket(): SSL connect attempt failed error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed at
> ./gmail.pl line 13 [the line quoted above]
>
> To make the script work again, I downgraded libnet-ssleay-perl to 1.78-1,
> but I hope the bug to be fixed soon.
Thanks for the report. The upgraded package is built against openssl 1.1
instead of 1.0.2, and the regression is related to that.
It looks like IO::Socket::SSL::default_ca() determines the base dir
for finding CA certificates by calling Net::SSLeay::SSLeay_version(5),
which no longer gives OPENSSLDIR with OpenSSL 1.1:
(old)
# perl -MNet::SSLeay -le 'print Net::SSLeay::SSLeay_version(5)'
OPENSSLDIR: "/usr/lib/ssl"
(new)
# perl -MNet::SSLeay -le 'print Net::SSLeay::SSLeay_version(5)'
ENGINESDIR: "/usr/lib/x86_64-linux-gnu/engines-1.1"
The magic constants apparently have shifted by one with the openssl
change, so OPENSSLDIR is now at 4.
I'm guessing IO::Socket::SSL should use names and not numbers for the
constants; see
https://www.openssl.org/docs/man1.0.2/crypto/SSLeay_version.html
https://www.openssl.org/docs/man1.1.0/crypto/OPENSSL_VERSION_NUMBER.html
but I fear Net::SSLeay doesn't currently provide them...
Anyway, reassigning to libio-socket-ssl-perl, which clearly needs to
adapt somehow, and raising the severity to mark this release critical.
--
Niko Tyni ntyni at debian.org
More information about the pkg-perl-maintainers
mailing list