Bug#830152: libnet-ssleay-perl: Under mod_perl, first client connection fails in CTX_new, but subsequent connections work

Ivan Kohler ivan-debian at 420.am
Wed Jul 6 18:05:03 UTC 2016 

Package: libnet-ssleay-perl
Version: 1.74-1
Severity: important

Running in a (preforking) mod_perl context, the first client conneciton
attempted (during each process lifetime) fails.  Subsequent connections work.

Example script:

  #!/usr/bin/perl
  use Net::SSLeay qw(post_https make_form);
  $Net::SSLeay::trace = 0;

  my $host = 'secure.authorize.net';

  my ($page, $response, %reply_headers) = post_https($host, 443, '/', '', make_form(var1 => 'one', var2 => 'two' ));
  print "response $response\n";

  #again, it'll work...
  ($page, $response, %reply_headers) = post_https($host, 443, '/', '', make_form(var1 => 'one', var2 => 'two' ));
  print "response $response\n";

Example Apache config:

  AddHandler perl-script .cgi
  PerlHandler ModPerl::Registry
  Options +ExecCGI

In a non-mod_perl context, this returns (e.g., depending on $host):

  ivan at fleetpaw:/var/www/html$ perl testssl.cgi 
  response HTTP/1.1 303 See Other
  response HTTP/1.1 303 See Other

In a mod_perl context, the first time this is called in a process (i.e. after a
restart), this returns:

  response HTTP/1.0 900 NET OR SSL ERROR

  CTX_new 30723: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line
  CTX_new 30723: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start line

  response HTTP/1.1 303 See Other

Full trace of failing connection:

  do_httpx3(POST,1,secure.authorize.net:443) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al) line 1318. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/do_httpx3.al):1318)
  httpx_cat: usessl=1 (secure.authorize:443) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al) line 1227. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/httpx_cat.al):1227)
  Opening connection to secure.authorize.net:443 (64.94.118.32) at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 486. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):486)
  next connect at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 491. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):491)
  connected to secure.authorize.net, 443 at blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al) line 494. (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/open_tcp_connection.al):494)
  Creating SSL 0 context... (blib/lib/Net/SSLeay.pm (autosplit into blib/lib/auto/Net/SSLeay/https_cat.al):1126)
  CTX_new 30717: 1 - error:0906D06C:PEM routines:PEM_read_bio:no start line (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422)
  CTX_new 30717: 2 - error:0906D06C:PEM routines:PEM_read_bio:no start line (/usr/lib/x86_64-linux-gnu/perl5/5.22/Net/SSLeay.pm:422)

Changing $host between connections has no effect, so it isn't a per-host
failure/cache.  Changing $ssl_version has no effect.  This does not appear to
be specific to ModPerl::Registry (originally observed in an HTML::Mason app).

I believe this behavior is present back to jessie.  Not sure about wheezy.

As a workaround, I'm using the following code per-process to trigger the
one-time context creation error so all subsequent real connections work:

  {
    use Net::SSLeay;
    package Net::SSLeay;
    initialize();
    my $bad_ctx = new_x_ctx();
    while ( ERR_get_error() ) {}; #print_errs('CTX_new');
    CTX_free($bad_ctx);
  }

Oddly, retreiving the errors is necessary to make this work.

-- 
Ivan Kohler
President and Head Geek, Freeside Internet Services, Inc.  http://freeside.biz/
Debian GNU/Linux developer  |  CPAN author  |  cat person  |  ski addict


-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libnet-ssleay-perl depends on:
ii  libc6                       2.22-13
ii  libssl1.0.2                 1.0.2h-1
ii  perl                        5.22.2-1
ii  perl-base [perlapi-5.22.1]  5.22.2-1

libnet-ssleay-perl recommends no packages.

Versions of packages libnet-ssleay-perl suggests:
ii  libperl5.22 [libmime-base64-perl]  5.22.2-1

-- no debconf information

More information about the pkg-perl-maintainers mailing list