Bug#1104296: Net::SMTP::TLS fails when with hostname verification failed

[Peter Palfrader]

Package: libnet-smtp-tls-perl
Version: 0.12-4
Severity: important
Tags: patch

Hi,

after upgrading to Debian 12, some of our tooling fell over with
| Couldn't start TLS: hostname verification failed

Turns out, Net::SMTP::TLS does not provide the hostname to
the code that in the end tries to verify the CN, so that
code in turn ends up using the socket endpoint IP address.

To reproduce:


weasel at gander:~$ perl -MNet::SMTP::TLS -e '$smtp = Net::SMTP::TLS->new("mailly.debian.org")'
Couldn't start TLS: hostname verification failed
 at -e line 1.

This seems like it might be a sane fix:
--- TLS.pm      2025-04-28 14:22:13.523427780 +0200
+++ /usr/share/perl5/Net/SMTP/TLS.pm    2025-04-28 14:22:24.631519263 +0200
@@ -178,7 +178,7 @@
        if(not $num == 220){
                croak "Invalid response for STARTTLS: $num $txt\n";
        }
-       if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
+       if(not IO::Socket::SSL::socket_to_SSL($me->{sock}, SSL_verifycn_name=>$me->{Host})){
                        croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";
        }
        $me->hello();

in sub starttls.

With that patch applied, things work:

weasel at gander:~$ perl -MNet::SMTP::TLS -e '$smtp = Net::SMTP::TLS->new("mailly.debian.org")'
weasel at gander:~$


Cheers,
-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/