Bug#1104296: Net::SMTP::TLS fails when with hostname verification failed

gregor herrmann gregoa at debian.org
Wed May 7 20:50:15 BST 2025


On Mon, 28 Apr 2025 12:26:52 +0000, Peter Palfrader wrote:

>after upgrading to Debian 12, some of our tooling fell over with
>| Couldn't start TLS: hostname verification failed
>Turns out, Net::SMTP::TLS does not provide the hostname to
>the code that in the end tries to verify the CN, so that
>code in turn ends up using the socket endpoint IP address.

Thanks!

Forwarded upstream as https://rt.cpan.org/Ticket/Display.html?id=164994

2 remarks:

1) AFAIK Net::SMTP supports TLS since quite some time, so 
    Net::SMTP::TLS might be unneeded by now.

2) Regarding the patch:

>-       if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
>+       if(not IO::Socket::SSL::socket_to_SSL($me->{sock}, SSL_verifycn_name=>$me->{Host})){
>                        croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";

Looking at IO::Socket::SSL's documentation (admittedly on my unstable 
machine):

        socketToSSL() and socket_to_SSL()
          use IO::Socket::SSL->start_SSL() instead

I see the point of keeping upstream's use of socket_to_SSL(); just 
another hint that Net::SMTP::TLS smells a bit unfresh …

But yeah, adding this change looks like an improvement over the 
status quo.


Cheers,
gregor

-- 
  .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
  : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
  `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
    `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20250507/fd59612d/attachment-0001.sig>


More information about the pkg-perl-maintainers mailing list