Bug 1557574 – Add SSL support to Net::SMTP Perl module

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1557574 - Add SSL support to Net::SMTP Perl module

Summary:	Add SSL support to Net::SMTP Perl module

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	perl (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	x86_64 Linux

Priority	unspecified Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	perl-maint-list
QA Contact:	Martin Kyral
Docs Contact:	Lenka Špačková

URL:
Whiteboard:
Keywords:	FutureFeature, Patch

Depends On:	1571850 1572546
Blocks:	1549616 1551025
	Show dependency tree / graph

Reported:	2018-03-16 18:45 EDT by Rajesh Dulhani
Modified:	2018-10-30 06:55 EDT (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	perl-5.16.3-293.el7
Doc Type:	Release Note
Doc Text:	The Net::SMTP Perl module now supports SSL This update adds support for implicit and explicit TLS and SSL encryption to the Net::SMTP Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2018-10-30 06:54:53 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
1/4 Upstream patch ported to perl-5.16.3 (4.95 KB, patch) 2018-03-21 10:46 EDT, Petr Pisar	no flags	Details \| Diff
2/4 Upstream patch ported to perl-5.16.3 (5.45 KB, patch) 2018-03-21 10:47 EDT, Petr Pisar	no flags	Details \| Diff
3/4 Upstream patch ported to perl-5.16.3 (2.06 KB, patch) 2018-03-21 10:47 EDT, Petr Pisar	no flags	Details \| Diff
4/4 Upstream patch ported to perl-5.16.3 (2.29 KB, patch) 2018-03-21 10:48 EDT, Petr Pisar	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
CPAN	93823	None	None	None	2018-03-19 06:16 EDT
Red Hat Product Errata	RHEA-2018:3183	None	None	None	2018-10-30 06:55 EDT

Groups: None (edit)

Description Rajesh Dulhani 2018-03-16 18:45:13 EDT

Description of problem:

rebase of the package Perl-5.16.3 to include the core module Net:: SMTP version 2.35 (minimum). This is the version that includes native SSL support.

Comment 2 Petr Pisar 2018-03-19 06:16:34 EDT

Perl 5.16.3 delivers Net::SMTP 2.31.
Next stable Perl that delivers Net::SMTP ≥ 2.35 is Perl 5.22.0. I cannot rebase Perl because it has different ABI.

I will investigate whether I can port SSL support back to existing Net::SMTP module in perl package.

The SSL support was added in libnet-1.28 CPAN distribution <http://cpansearch.perl.org/src/SHAY/libnet-3.11/Changes> with commit <https://github.com/steve-m-hay/perl-libnet/commit/b4a7a274a7fe5344c154abc4b3fdd7c446d36370> (merge commit <https://github.com/steve-m-hay/perl-libnet/commit/c274b798e6881a941d941808c6d89966975cb8c8>).

In the mean time, please consider using Perl 5.24 from Red Hat Software Collections <https://access.redhat.com/documentation/en-us/red_hat_software_collections/2/html/2.3_release_notes/chap-rhscl#sect-RHSCL-Changes-perl>.

Comment 3 Petr Pisar 2018-03-21 10:46 EDT

Created attachment 1411231 [details]
1/4 Upstream patch ported to perl-5.16.3

Comment 4 Petr Pisar 2018-03-21 10:47 EDT

Created attachment 1411232 [details]
2/4 Upstream patch ported to perl-5.16.3

Comment 5 Petr Pisar 2018-03-21 10:47 EDT

Created attachment 1411233 [details]
3/4 Upstream patch ported to perl-5.16.3

Comment 6 Petr Pisar 2018-03-21 10:48 EDT

Created attachment 1411234 [details]
4/4 Upstream patch ported to perl-5.16.3

Comment 7 Petr Pisar 2018-03-21 10:52:16 EDT

The attached patchset adds SSL support to Net::SMTP Perl module as delivered in perl package. We recommend using it with updated perl-IO-Socket-SSL (bug #1402588) that used system CA certificate store by default.

Comment 9 Petr Pisar 2018-03-21 11:32:09 EDT

How to test:

(1) Start an SMTP server with implicit and explict SSL support. Or you can use openssl tool to some extent:

$ openssl s_server -accept 465 -CAfile ca -cert ca -key key

(2) Use Net::SMTP with implicit SSL:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Can't call method "domain" on an undefined value at -e line 1.

This must fail because the client does not know the "ca" authority.

(3) Pass a file name with the "ca" authority:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

and send this text from the SSL server:

200 foo

And then after the server sends EHLO message:

200 bar

The client should succeed and report the "foo" as an server identifier:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception:
foo

(4) Perform tests with explicit SSL (STARTLS). You would need a real SMTP server or something better than openssl tool:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{smtp.corp.redhat.com}, Debug => 1); $s->starttls() or die qq{Exception: $@\n}; print $s->verify(q{ppisar@redhat.com}), qq{\n}'
Net::SMTP>>> Net::SMTP(2.31)
Net::SMTP>>>   Net::Cmd(2.29)
Net::SMTP>>>     Exporter(5.68)
Net::SMTP>>>   IO::Socket::INET(1.33)
Net::SMTP>>>     IO::Socket(1.34)
Net::SMTP>>>       IO::Handle(1.33)
Net::SMTP=GLOB(0x1e2c468)<<< 220 smtp.corp.redhat.com ESMTP Postfix
Net::SMTP=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP=GLOB(0x1e2c468)<<< 250-STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP=GLOB(0x1e2c468)>>> STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 220 2.0.0 Ready to start TLS
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> VRFY ppisar@redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 252 2.0.0 ppisar@redhat.com
1

Here you can see VRFY command is used after successful TLS upgrade. That also means the Net::SMTP verified server's certificate. Otherwise it would die before. Do no use domain() method because it will reuse answer from the first answer before STARTTLS.

Comment 11 Petr Pisar 2018-04-18 10:59:20 EDT

A notice for testing. The SSL support is optional, thus perl(IO::Socket::SSL) must be installed. Otherwise an error like "To use SSL please install IO::Socket::SSL at /usr/share/perl5/Net/SMTP.pm line 218." is emitted.

Comment 22 errata-xmlrpc 2018-10-30 06:54:53 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3183

Note You need to log in before you can comment on or make changes to this bug.