Bug#1104296: Net::SMTP::TLS fails when with hostname verification failed
gregor herrmann
gregoa at debian.org
Wed May 7 20:50:15 BST 2025
On Mon, 28 Apr 2025 12:26:52 +0000, Peter Palfrader wrote:
>after upgrading to Debian 12, some of our tooling fell over with
>| Couldn't start TLS: hostname verification failed
>Turns out, Net::SMTP::TLS does not provide the hostname to
>the code that in the end tries to verify the CN, so that
>code in turn ends up using the socket endpoint IP address.
Thanks!
Forwarded upstream as https://rt.cpan.org/Ticket/Display.html?id=164994
2 remarks:
1) AFAIK Net::SMTP supports TLS since quite some time, so
Net::SMTP::TLS might be unneeded by now.
2) Regarding the patch:
>- if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
>+ if(not IO::Socket::SSL::socket_to_SSL($me->{sock}, SSL_verifycn_name=>$me->{Host})){
> croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";
Looking at IO::Socket::SSL's documentation (admittedly on my unstable
machine):
socketToSSL() and socket_to_SSL()
use IO::Socket::SSL->start_SSL() instead
I see the point of keeping upstream's use of socket_to_SSL(); just
another hint that Net::SMTP::TLS smells a bit unfresh …
But yeah, adding this change looks like an improvement over the
status quo.
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250507/fd59612d/attachment-0001.sig>
More information about the pkg-perl-maintainers
mailing list