Description of problem: ======================= I run a DNS update on DynDNS servers using the "ddclient" script. "ddclient" uses "IO::Socket::SSL" (see http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm) to set up an https connection to https://members.dyndns.org in order to to submit update data. The root certificate authority certificate for this connection is ------------------ Data: Version: 3 (0x2) Serial Number: 33554617 (0x20000b9) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root Validity Not Before: May 12 18:46:00 2000 GMT Not After : May 12 23:59:00 2025 GMT Subject: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root ------------------ This certificate can be found in the bundle file /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt on both Fedora 19 and Fedora 20. Certificate in PEM format for greppability: -----BEGIN TRUSTED CERTIFICATE----- MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1 BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3 DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92 9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0 Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmpMDEwFAYIKwYBBQUHAwQGCCsGAQUF BwMBDBlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290 -----END TRUSTED CERTIFICATE----- Problem ======= Running "ddclient" on Fedora 20 (which has perl-IO-Socket-SSL-1.955-1.fc20.noarch) works. Running "ddclient" on Fedora 19 (which has perl-IO-Socket-SSL-1.88-1.fc19.noarch) results in connection failure: ----- "WARNING: cannot connect to members.dyndns.org:443 socket: IO::Socket::IP configuration failed SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" ----- (Sorry for the horrific formatting, but that is the way it is) The code to connect to the DynDNS server is: ----- $sd = IO::Socket::SSL->new( PeerAddr => $peer, PeerPort => $port, Proto => 'tcp', MultiHomed => 1, SSL_verify_mode => SSL_VERIFY_PEER, Timeout => opt('timeout'), ); ----- It turns out that explicitly specifying the trusted CA file in this call makes things work on Fedora 19: ----- $sd = IO::Socket::SSL->new( PeerAddr => $peer, PeerPort => $port, Proto => 'tcp', MultiHomed => 1, SSL_verify_mode => SSL_VERIFY_PEER, Timeout => opt('timeout'), SSL_ca_file => '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' ); ----- Conclusion is that "IO::Socket:SSL" does not fetch its trusted CA file from the expected place, at least on Fedora 19. Additionally, note that "IO::Socket::SSL" doesn't care about the debugging setting as explained in http://search.cpan.org/~sullr/IO-Socket-SSL-1.966/lib/IO/Socket/SSL.pm#DEBUGGING for some reason.
Can you see if this scratch build fixes it for you? http://koji.fedoraproject.org/koji/taskinfo?taskID=6467289
Yes it does. --- Try --- As user "ddclient" $ rm ~/ddclient.cache $ ./wrap_ddclient.sh WARNING: cannot connect to members.dyndns.org:443 socket: IO::Socket::IP configuration failed SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed FAILED: updating THE_HOST: Could not connect to members.dyndns.org. --- Upgrade --- # wget http://kojipkgs.fedoraproject.org//work/tasks/7293/6467293/perl-IO-Socket-SSL-1.88-2.fc19.noarch.rpm # rpm --query perl-IO-Socket-SSL perl-IO-Socket-SSL-1.88-1.fc19.noarch # rpm --upgrade perl-IO-Socket-SSL-1.88-2.fc19.noarch.rpm # rpm --query perl-IO-Socket-SSL perl-IO-Socket-SSL-1.88-2.fc19.noarch --- Try --- As user "ddclient" $ rm ~/ddclient.cache $ ./wrap_ddclient.sh WARNING: updating THE_HOST: nochg: No update required; unnecessary attempts to change to the current address are considered abusive
perl-IO-Socket-SSL-1.88-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/perl-IO-Socket-SSL-1.88-2.fc19
Package perl-IO-Socket-SSL-1.88-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing perl-IO-Socket-SSL-1.88-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-1831/perl-IO-Socket-SSL-1.88-2.fc19 then log in and leave karma (feedback).
perl-IO-Socket-SSL-1.88-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.