Bug 1532250 - perl-Net-SSLeay fails to connect to some SSL servers
Summary: perl-Net-SSLeay fails to connect to some SSL servers
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-Net-SSLeay
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Paul Howarth
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-08 13:28 UTC by Need Real Name
Modified: 2018-11-30 19:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-11-30 19:09:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Need Real Name 2018-01-08 13:28:51 UTC 
In F26 F27 compiled
perl-Net-SSLeay-1.82-1.fc26.x86_64
fails to connect to some SSL servers, , but to the other can connect OK
Below is a test case and two examples.
www.google.com perl-Net-SSLeay connects OK
www.halstead.com perl-Net-SSLeay fails.
Code example xu.pl is below.

This works OK
    perl -w  xu.pl  'www.google.com'
And this one fails, and without any meaningful diag
    perl -w  xu.pl  www.halstead.com

P.S. strange thing that this works OK
my($page) = Net::SSLeay::get_https('www.halstead.com', 443, '/');

------- sample code xu.pl ----
use strict;
require Net::SSLeay;
require IO::Socket::SSL;
#require IO::Socket::SSL qw(debug9);

 $Net::SSLeay::trace = 3;
$Net::SSLeay::linux_debug =3 ;
    # simple client
    my $cl = IO::Socket::SSL->new($ARGV[0].":443");

print{*STDERR} "CL=",$cl,"\n";
    print $cl "GET / HTTP/1.0\r\n\r\n";
    print <$cl>;
----- end sample code -------------

This works OK
perl -w  xu.pl  'www.google.com'
And this one fails, and without any Net::SSLeay diag, only SSL.pm
perl -w  xu.pl  www.halstead.com
Name "Net::SSLeay::trace" used only once: possible typo at xu.pl line 6.
Name "Net::SSLeay::linux_debug" used only once: possible typo at xu.pl line 7.
DEBUG: .../IO/Socket/SSL.pm:2764: new ctx 24108480
DEBUG: .../IO/Socket/SSL.pm:616: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:618: socket connected
DEBUG: .../IO/Socket/SSL.pm:641: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:674: using SNI with hostname www.halstead.com
DEBUG: .../IO/Socket/SSL.pm:709: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:743: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:746: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed
DEBUG: ...erl5/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed'
DEBUG: .../IO/Socket/SSL.pm:2786: free ctx 24108480 open=24108480
DEBUG: .../IO/Socket/SSL.pm:2790: free ctx 24108480 callback
DEBUG: .../IO/Socket/SSL.pm:2797: OK free ctx 24108480
CL=Use of uninitialized value $cl in print at xu.pl line 11.

Can't use an undefined value as a symbol reference at xu.pl line 12.
Comment 1 Paul Howarth 2018-01-08 15:58:46 UTC 
The problem here is that the target server doesn't support newer SSL protocols/ciphers, and the ones it does support are below the standard required by the system-wide crypto policy (see https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented in Fedora's perl-IO-Socket-SSL package (this is why your use of raw Net::SSLeay works, and IO::Socket::SSL doesn't).

I can make it work by changing the IO::Socket::SSL->new() invocation to this:

my $cl = IO::Socket::SSL->new(
    PeerHost => $ARGV[0],
    PeerPort => 'https',
    SSL_cipher_list => 'DES-CBC3-SHA'
);

A useful debugging tool for this is analyze-ssl.pl, which you can get from https://github.com/noxxi/p5-ssl-tools (this is from the upstream maintainer of IO::Socket::SSL).

Example output:
$ perl analyze-ssl.pl www.halstead.com:443
-- www.halstead.com port 443
 ! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
 ! server sent unused chain certificate '/C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority'
 * maximum SSL version  : TLSv1 (SSLv23)
 * supported SSL versions with handshake used and preferred cipher(s):
   * handshake protocols ciphers
   * SSLv23    TLSv1     DES-CBC3-SHA
   * TLSv1_2   FAILED: SSL connect attempt failed error:1417110A:SSL routines:tls_process_server_hello:wrong ssl version SSL connect attempt failed
   * TLSv1_1   FAILED: SSL connect attempt failed error:1417110A:SSL routines:tls_process_server_hello:wrong ssl version
   * TLSv1     TLSv1     DES-CBC3-SHA
   * SSLv3     SSLv3     DES-CBC3-SHA
 * cipher order by      : unknown
 * SNI supported        : ok
 * certificate verified : ok
 * chain on 209.173.134.149
   * [0/0] bits=2048, ocsp_uri=http://ocsp.netsolssl.com, /C=US/postalCode=10065/ST=NY/L=New York/street=770 Lexington Ave/O=Halstead Property/OU=Web/OU=Secure Link SSL Wildcard/CN=*.halstead.com SAN=DNS:*.halstead.com,DNS:halstead.com
   * [1/1] bits=2048, ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server CA 2
   * [2/-] bits=4096, ocsp_uri=http://ocsp.usertrust.com, /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification 
Authority
   * [-/2] bits=4096, ocsp_uri=, /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Authority
 * OCSP stapling        : no stapled response
 * OCSP status          : good (soft error: http://ocsp.usertrust.com: OCSP response failed: internalerror; subject: /C=US/ST=VA/L=Herndon/O=Network Solutions L.L.C./CN=Network Solutions OV Server CA 2; /C=US/ST=New Jersey/L=Jersey City/O=The USERTRUST Network/CN=USERTrust RSA Certification Au
thority)
Comment 2 Need Real Name 2018-01-08 16:37:27 UTC 
Thank you, Paul. I will fix the script with the 
 SSL_cipher_list => 'DES-CBC3-SHA'
that you recommended, I have no control over the site www.halstead.com

My bug report was mostly about perl-Net-SSLeay cryptic error message:
 
DEBUG: .../IO/Socket/SSL.pm:749: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:752: fatal SSL error: SSL connect attempt failed

I think that perl-Net-SSLeay can be much improved by making better SSL error messages.
Comment 3 Paul Howarth 2018-01-08 16:44:03 UTC 
Requests for enhancements to Net::SSLeay's error messages would be best off directed to the upstream maintainer. The documentation suggests https://alioth.debian.org/projects/net-ssleay but https://rt.cpan.org/Public/Dist/Display.html?Name=net-ssleay would probably work too.
Comment 4 Petr Pisar 2018-01-09 08:39:52 UTC 
(In reply to Paul Howarth from comment #1)
> The problem here is that the target server doesn't support newer SSL
> protocols/ciphers, and the ones it does support are below the standard
> required by the system-wide crypto policy (see
> https://fedoraproject.org/wiki/Changes/CryptoPolicy), which is implemented
> in Fedora's perl-IO-Socket-SSL package (this is why your use of raw
> Net::SSLeay works, and IO::Socket::SSL doesn't).
> 
> I can make it work by changing the IO::Socket::SSL->new() invocation to this:
> 
> my $cl = IO::Socket::SSL->new(
>     PeerHost => $ARGV[0],
>     PeerPort => 'https',
>     SSL_cipher_list => 'DES-CBC3-SHA'
> );
> 
I'm not sure. "openssl s_client -connect www.halstead.com:443" works. And DES-CBC3-SHA has not yet been disabled in the global cryptopolicy <https://bugzilla.redhat.com/show_bug.cgi?id=1487607#c6>.
Comment 5 Paul Howarth 2018-01-09 09:04:41 UTC 
I'm not sure it's the best solution but it seems to be the smallest change that makes it work. It looks like the server doesn't support anything beyond TLS v1.0; is that cipher supported in TLS v1.1 or TLS v1.2?
Comment 6 Ben Cotton 2018-11-27 17:32:07 UTC 
This message is a reminder that Fedora 27 is nearing its end of life.
On 2018-Nov-30  Fedora will stop maintaining and issuing updates for
Fedora 27. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora  'version' of '27'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 27 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 7 Ben Cotton 2018-11-30 19:09:26 UTC 
Fedora 27 changed to end-of-life (EOL) status on 2018-11-30. Fedora 27 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.
Note You need to log in before you can comment on or make changes to this bug.