1557574 – Add SSL support to Net::SMTP Perl module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1557574 - Add SSL support to Net::SMTP Perl module

Summary: Add SSL support to Net::SMTP Perl module

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	perl
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	perl-maint-list
QA Contact:	Martin Kyral
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:	1571850 1572546
Blocks:	1549616 1551025
TreeView+	depends on / blocked

Reported:	2018-03-16 22:45 UTC by Rajesh Dulhani
Modified:	2022-03-13 14:47 UTC (History)
CC List:	6 users (show)
Fixed In Version:	perl-5.16.3-293.el7
Doc Type:	Release Note
Doc Text:	The Net::SMTP Perl module now supports SSL This update adds support for implicit and explicit TLS and SSL encryption to the Net::SMTP Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel.
Clone Of:
Environment:
Last Closed:	2018-10-30 10:54:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
1/4 Upstream patch ported to perl-5.16.3 (4.95 KB, patch) 2018-03-21 14:46 UTC, Petr Pisar	no flags	Details \| Diff
2/4 Upstream patch ported to perl-5.16.3 (5.45 KB, patch) 2018-03-21 14:47 UTC, Petr Pisar	no flags	Details \| Diff
3/4 Upstream patch ported to perl-5.16.3 (2.06 KB, patch) 2018-03-21 14:47 UTC, Petr Pisar	no flags	Details \| Diff
4/4 Upstream patch ported to perl-5.16.3 (2.29 KB, patch) 2018-03-21 14:48 UTC, Petr Pisar	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
CPAN	93823	0	None	None	None	2018-03-19 10:16:34 UTC
Red Hat Product Errata	RHEA-2018:3183	0	None	None	None	2018-10-30 10:55:06 UTC

Description Rajesh Dulhani 2018-03-16 22:45:13 UTC

Description of problem:

rebase of the package Perl-5.16.3 to include the core module Net:: SMTP version 2.35 (minimum). This is the version that includes native SSL support.

Comment 2 Petr Pisar 2018-03-19 10:16:34 UTC

Perl 5.16.3 delivers Net::SMTP 2.31.
Next stable Perl that delivers Net::SMTP ≥ 2.35 is Perl 5.22.0. I cannot rebase Perl because it has different ABI.

I will investigate whether I can port SSL support back to existing Net::SMTP module in perl package.

The SSL support was added in libnet-1.28 CPAN distribution <http://cpansearch.perl.org/src/SHAY/libnet-3.11/Changes> with commit <https://github.com/steve-m-hay/perl-libnet/commit/b4a7a274a7fe5344c154abc4b3fdd7c446d36370> (merge commit <https://github.com/steve-m-hay/perl-libnet/commit/c274b798e6881a941d941808c6d89966975cb8c8>).

In the mean time, please consider using Perl 5.24 from Red Hat Software Collections <https://access.redhat.com/documentation/en-us/red_hat_software_collections/2/html/2.3_release_notes/chap-rhscl#sect-RHSCL-Changes-perl>.

Comment 3 Petr Pisar 2018-03-21 14:46:49 UTC

Created attachment 1411231 [details]
1/4 Upstream patch ported to perl-5.16.3

Comment 4 Petr Pisar 2018-03-21 14:47:16 UTC

Created attachment 1411232 [details]
2/4 Upstream patch ported to perl-5.16.3

Comment 5 Petr Pisar 2018-03-21 14:47:46 UTC

Created attachment 1411233 [details]
3/4 Upstream patch ported to perl-5.16.3

Comment 6 Petr Pisar 2018-03-21 14:48:24 UTC

Created attachment 1411234 [details]
4/4 Upstream patch ported to perl-5.16.3

Comment 7 Petr Pisar 2018-03-21 14:52:16 UTC

The attached patchset adds SSL support to Net::SMTP Perl module as delivered in perl package. We recommend using it with updated perl-IO-Socket-SSL (bug #1402588) that used system CA certificate store by default.

Comment 9 Petr Pisar 2018-03-21 15:32:09 UTC

How to test:

(1) Start an SMTP server with implicit and explict SSL support. Or you can use openssl tool to some extent:

$ openssl s_server -accept 465 -CAfile ca -cert ca -key key

(2) Use Net::SMTP with implicit SSL:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Can't call method "domain" on an undefined value at -e line 1.

This must fail because the client does not know the "ca" authority.

(3) Pass a file name with the "ca" authority:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

and send this text from the SSL server:

200 foo

And then after the server sends EHLO message:

200 bar

The client should succeed and report the "foo" as an server identifier:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception:
foo

(4) Perform tests with explicit SSL (STARTLS). You would need a real SMTP server or something better than openssl tool:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{smtp.corp.redhat.com}, Debug => 1); $s->starttls() or die qq{Exception: $@\n}; print $s->verify(q{ppisar}), qq{\n}'
Net::SMTP>>> Net::SMTP(2.31)
Net::SMTP>>>   Net::Cmd(2.29)
Net::SMTP>>>     Exporter(5.68)
Net::SMTP>>>   IO::Socket::INET(1.33)
Net::SMTP>>>     IO::Socket(1.34)
Net::SMTP>>>       IO::Handle(1.33)
Net::SMTP=GLOB(0x1e2c468)<<< 220 smtp.corp.redhat.com ESMTP Postfix
Net::SMTP=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP=GLOB(0x1e2c468)<<< 250-STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP=GLOB(0x1e2c468)>>> STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 220 2.0.0 Ready to start TLS
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> VRFY ppisar
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 252 2.0.0 ppisar
1

Here you can see VRFY command is used after successful TLS upgrade. That also means the Net::SMTP verified server's certificate. Otherwise it would die before. Do no use domain() method because it will reuse answer from the first answer before STARTTLS.

Comment 11 Petr Pisar 2018-04-18 14:59:20 UTC

A notice for testing. The SSL support is optional, thus perl(IO::Socket::SSL) must be installed. Otherwise an error like "To use SSL please install IO::Socket::SSL at /usr/share/perl5/Net/SMTP.pm line 218." is emitted.

Comment 22 errata-xmlrpc 2018-10-30 10:54:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3183

Note You need to log in before you can comment on or make changes to this bug.