https://bugzilla.redhat.com/show_bug.cgi?id=1059002 Bug ID: 1059002 Summary: On F19, perl's IO::Socket::SSL has problems verifying server's certificate (but works on F20) Product: Fedora Version: 19 Component: perl-IO-Socket-SSL Assignee: paul@xxxxxxxxxxxx Reporter: bughunt@xxxxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: jpo@xxxxxxxxxxxx, paul@xxxxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx Description of problem: ======================= I run a DNS update on DynDNS servers using the "ddclient" script. "ddclient" uses "IO::Socket::SSL" (see http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm) to set up an https connection to https://members.dyndns.org in order to to submit update data. The root certificate authority certificate for this connection is ------------------ Data: Version: 3 (0x2) Serial Number: 33554617 (0x20000b9) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root Validity Not Before: May 12 18:46:00 2000 GMT Not After : May 12 23:59:00 2025 GMT Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root ------------------ This certificate can be found in the bundle file /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt on both Fedora 19 and Fedora 20. Certificate in PEM format for greppability: -----BEGIN TRUSTED CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmpMDEwFAYIKwYBBQUHAwQGCCsGAQUF BwMBDBlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290 -----END TRUSTED CERTIFICATE----- Problem ======= Running "ddclient" on Fedora 20 (which has perl-IO-Socket-SSL-1.955-1.fc20.noarch) works. Running "ddclient" on Fedora 19 (which has perl-IO-Socket-SSL-1.88-1.fc19.noarch) results in connection failure: ----- "WARNING: cannot connect to members.dyndns.org:443 socket: IO::Socket::IP configuration failed SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" ----- (Sorry for the horrific formatting, but that is the way it is) The code to connect to the DynDNS server is: ----- $sd = IO::Socket::SSL->new( PeerAddr => $peer, PeerPort => $port, Proto => 'tcp', MultiHomed => 1, SSL_verify_mode => SSL_VERIFY_PEER, Timeout => opt('timeout'), ); ----- It turns out that explicitly specifying the trusted CA file in this call makes things work on Fedora 19: ----- $sd = IO::Socket::SSL->new( PeerAddr => $peer, PeerPort => $port, Proto => 'tcp', MultiHomed => 1, SSL_verify_mode => SSL_VERIFY_PEER, Timeout => opt('timeout'), SSL_ca_file => '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' ); ----- Conclusion is that "IO::Socket:SSL" does not fetch its trusted CA file from the expected place, at least on Fedora 19. Additionally, note that "IO::Socket::SSL" doesn't care about the debugging setting as explained in http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm#DEBUGGING for some reason. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=mWs4iivc7r&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
