You are here: Foswiki>Tasks Web>Item12279 (01 Feb 2013, GeorgeClark)Edit Attach

Item12279: Net::SMTP::SSL Email fails with SSL_verify_mode error on recent versions of IO::Socket::SSL

pencil
Priority: Normal
Current State: Closed
Released In: 1.1.7
Target Release: patch
Applies To: Engine
Component: FoswikiNet
Branches: Release01x01
Reported By: GeorgeClark
Waiting For: GeorgeClark, TimotheLitt
Last Change By: GeorgeClark
With the latest versions of IO::Socket::SSL, Net::SMTP::SSL fails with the following:

>>>> FAILURE Sending e-mail to  some@address  - 
*******************************************************************
 Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
 is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
 together with SSL_ca_file|SSL_ca_path for verification.
 If you really don't want to verify the certificate and keep the
 connection open to Man-In-The-Middle attacks please set
 SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************

The authors of IO::Socket::SSL made a rather unfortunate change in version 1.79, to carp if the option of SSL_verify_mode is left to default as SSL_VERIFY_NONE. And since Net::SMTP (as used by Net::SMTP::SSL) does not permit any options to be passed other than the options documented by Net::SMTP, we don't have any local solution to resolve this.

It's true that not verifying server certificates leaves one open to Man-in-the-Middle attacks. But to make the change like this without any coordination with something as fundamental as libnet is rather ugly.

Looking at CPAN, libnet (Net::SMTP) has not been maintained in several years. I opened a bug against Net::SMTP::SSL, (https://rt.cpan.org/Public/Bug/Display.html?id=81594) but the fix really is needed in Net::SMTP. To fix this right, Net::SMTP would need to pass through any of the SSL_* options, so that things like the ca file or path can also be specified. Since the option is verified when Net:SMTP::SSL->new() creates the socket, there really seem to be no other way around this other than a code change.

I've posted the workarounds we've found at http://foswiki.org/Support/Faq69#Error:_61Default_SSL_verify_mode_deprecated_61

Once Net::SMTP and/or Net::SMTP::SSL are fixed, we need to enhance Foswiki::Net to pass the verify option, and the necessary SSL_ca information to permit certificate validation.

-- GeorgeClark - 01 Dec 2012

This can be fixed in Net.pm without external help - if esthetics aren't a concern. Then again, the internals of Net::SMTP::SSL are not at all pretty.

Investigation shows that the current code has other issues:
  • TLS support depends on a broken module
  • SSLv2 is accepted (and should not be)
  • Ports are not defaulted sensibly
  • STARTTLS is not supported at all.
  • Manual configuration is ugly and error prone - George says #1 setup issue for new users.

Fix for all these is in the testing queue. Updated this item to reflect WIP.

The work-arounds topic should probably be updated to reflect the fact that the suggestions there are temporary.

As for additional options for verify type, ca, client cert, etc - agree, but that probably should be a separate feature proposal...

-- TimotheLitt - 02 Dec 2012

The fix I checked in for 1.1x is a minimal subset of a larger set of improvements on trunk. It makes verify none work, but does not address other verify types as it's intended as a hotfix. The other verify types should be implemented under another task, so I marked this one "waiting for release".

-- TimotheLitt - 14 Dec 2012

The other verify types (Host and Client) and Trust authority sources have been implemented in Trunk, but won't be backported to earlier releases - the implementation is complex due to the work-arounds necessary to sneak past Net::SMTP(::SSL), and all the checkers I added to make it simple for the user. (They rely on the feedback framework.)

-- TimotheLitt - 15 Dec 2012
 

ItemTemplate edit

Summary Net::SMTP::SSL Email fails with SSL_verify_mode error on recent versions of IO::Socket::SSL
ReportedBy GeorgeClark
Codebase 1.1.6 dev, 1.1.5, 1.1.4, trunk
SVN Range
AppliesTo Engine
Component FoswikiNet
Priority Normal
CurrentState Closed
WaitingFor GeorgeClark, TimotheLitt
Checkins distro:d351840680f8
TargetRelease patch
ReleasedIn 1.1.7
CheckinsOnBranches Release01x01
trunkCheckins
Release01x01Checkins distro:d351840680f8
Topic revision: r8 - 01 Feb 2013, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy