Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1557574

Summary: Add SSL support to Net::SMTP Perl module
Product: Red Hat Enterprise Linux 7 Reporter: Rajesh Dulhani <rdulhani>
Component: perlAssignee: perl-maint-list
Status: CLOSED ERRATA QA Contact: Martin Kyral <mkyral>
Severity: medium Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: 7.4CC: bgollahe, bnater, djez, jorton, mkyral, ppisar
Target Milestone: rcKeywords: FutureFeature, Patch
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: perl-5.16.3-293.el7 Doc Type: Release Note
Doc Text:
The *Net::SMTP* Perl module now supports SSL This update adds support for implicit and explicit TLS and SSL encryption to the *Net::SMTP* Perl module. As a result, it is now possible to communicate with SMTP servers through a secured channel.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:54:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1571850, 1572546    
Bug Blocks: 1549616, 1551025    
Attachments:
Description Flags
1/4 Upstream patch ported to perl-5.16.3
none
2/4 Upstream patch ported to perl-5.16.3
none
3/4 Upstream patch ported to perl-5.16.3
none
4/4 Upstream patch ported to perl-5.16.3 none

Description Rajesh Dulhani 2018-03-16 22:45:13 UTC 
Description of problem:

rebase of the package Perl-5.16.3 to include the core module Net:: SMTP version 2.35 (minimum). This is the version that includes native SSL support.
Comment 2 Petr Pisar 2018-03-19 10:16:34 UTC 
Perl 5.16.3 delivers Net::SMTP 2.31.
Next stable Perl that delivers Net::SMTP ≥ 2.35 is Perl 5.22.0. I cannot rebase Perl because it has different ABI.

I will investigate whether I can port SSL support back to existing Net::SMTP module in perl package.

The SSL support was added in libnet-1.28 CPAN distribution <http://cpansearch.perl.org/src/SHAY/libnet-3.11/Changes> with commit <https://github.com/steve-m-hay/perl-libnet/commit/b4a7a274a7fe5344c154abc4b3fdd7c446d36370> (merge commit <https://github.com/steve-m-hay/perl-libnet/commit/c274b798e6881a941d941808c6d89966975cb8c8>).

In the mean time, please consider using Perl 5.24 from Red Hat Software Collections <https://access.redhat.com/documentation/en-us/red_hat_software_collections/2/html/2.3_release_notes/chap-rhscl#sect-RHSCL-Changes-perl>.
Comment 3 Petr Pisar 2018-03-21 14:46:49 UTC 
Created attachment 1411231 [details]
1/4 Upstream patch ported to perl-5.16.3
Comment 4 Petr Pisar 2018-03-21 14:47:16 UTC 
Created attachment 1411232 [details]
2/4 Upstream patch ported to perl-5.16.3
Comment 5 Petr Pisar 2018-03-21 14:47:46 UTC 
Created attachment 1411233 [details]
3/4 Upstream patch ported to perl-5.16.3
Comment 6 Petr Pisar 2018-03-21 14:48:24 UTC 
Created attachment 1411234 [details]
4/4 Upstream patch ported to perl-5.16.3
Comment 7 Petr Pisar 2018-03-21 14:52:16 UTC 
The attached patchset adds SSL support to Net::SMTP Perl module as delivered in perl package. We recommend using it with updated perl-IO-Socket-SSL (bug #1402588) that used system CA certificate store by default.
Comment 9 Petr Pisar 2018-03-21 15:32:09 UTC 
How to test:

(1) Start an SMTP server with implicit and explict SSL support. Or you can use openssl tool to some extent:

$ openssl s_server -accept 465 -CAfile ca -cert ca -key key

(2) Use Net::SMTP with implicit SSL:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception: SSL connect attempt failed with unknown error error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Can't call method "domain" on an undefined value at -e line 1.

This must fail because the client does not know the "ca" authority.

(3) Pass a file name with the "ca" authority:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'

and send this text from the SSL server:

200 foo

And then after the server sends EHLO message:

200 bar

The client should succeed and report the "foo" as an server identifier:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{localhost}, SSL =>1, SSL_ca_file => q{/tmp/ca}); print qq{Exception: $@\n}; print $s->domain, qq{\n}'
Exception:
foo

(4) Perform tests with explicit SSL (STARTLS). You would need a real SMTP server or something better than openssl tool:

$ perl -MNet::SMTP -e '$s=Net::SMTP->new(q{smtp.corp.redhat.com}, Debug => 1); $s->starttls() or die qq{Exception: $@\n}; print $s->verify(q{ppisar}), qq{\n}'
Net::SMTP>>> Net::SMTP(2.31)
Net::SMTP>>>   Net::Cmd(2.29)
Net::SMTP>>>     Exporter(5.68)
Net::SMTP>>>   IO::Socket::INET(1.33)
Net::SMTP>>>     IO::Socket(1.34)
Net::SMTP>>>       IO::Handle(1.33)
Net::SMTP=GLOB(0x1e2c468)<<< 220 smtp.corp.redhat.com ESMTP Postfix
Net::SMTP=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP=GLOB(0x1e2c468)<<< 250-STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP=GLOB(0x1e2c468)>>> STARTTLS
Net::SMTP=GLOB(0x1e2c468)<<< 220 2.0.0 Ready to start TLS
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> EHLO localhost.localdomain
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-smtp.corp.redhat.com
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-PIPELINING
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-SIZE 30000000
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-VRFY
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ETRN
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-ENHANCEDSTATUSCODES
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250-8BITMIME
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 250 DSN
Net::SMTP::_SSL=GLOB(0x1e2c468)>>> VRFY ppisar
Net::SMTP::_SSL=GLOB(0x1e2c468)<<< 252 2.0.0 ppisar
1

Here you can see VRFY command is used after successful TLS upgrade. That also means the Net::SMTP verified server's certificate. Otherwise it would die before. Do no use domain() method because it will reuse answer from the first answer before STARTTLS.
Comment 11 Petr Pisar 2018-04-18 14:59:20 UTC 
A notice for testing. The SSL support is optional, thus perl(IO::Socket::SSL) must be installed. Otherwise an error like "To use SSL please install IO::Socket::SSL at /usr/share/perl5/Net/SMTP.pm line 218." is emitted.
Comment 22 errata-xmlrpc 2018-10-30 10:54:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:3183