Bug#738493: Notes from some debugging LWPx::UserAgent SSL breakage.

Tue, 10 Jun 2014 13:57:35 -0700 

control: tags -1 pending
control: tags -1 patch

As described in the original bug report, LWPx::ParanoidAgent 1.10 forces
use Net::SSL instead of IO::Socket::SSL. This seems to be a workaround
for a bug that occured only with IO::Socket::SSL[1] and I think that
because of Net::SSL's shortcomings[2], this is generally a bad idea.

[1] https://github.com/csirtgadgets/LWPx-ParanoidAgent/issues/4
[2] https://metacpan.org/pod/Crypt::SSLeay#DO-YOU-NEED-Crypt::SSLeay

I'm inclined to remove that the line that forces use of Net::SSL from
the liblwpx-paranoidagent-perl. Since "500 Can't connect to
www.google.com:443 ()" is not a particularly helpful message, I have
tried to figure out what goes wrong when using IO::Socket::SSL:

Comparing IO::Socket::SSL's debug output ($IO::Socket::SSL::DEBUG=3)
from LWPx::ParanoidAgent against LWP::UserAgent shows an interesting
difference:

[ LWP::UserAgent->new->get("https://www.google.com";)->status_line ]

    DEBUG: .../IO/Socket/SSL.pm:1461: identity=www.google.com
                                      cn=www.google.com alt=2 www.google.com
    [...]
    DEBUG: .../IO/Socket/SSL.pm:1461: identity=www.google.de
                                      cn=www.google.de alt=2 www.google.de


[ LWPx::ParanoidAgent->new->get("https://www.google.com";)->status_line ]

    DEBUG: .../IO/Socket/SSL.pm:1461: identity=173.194.112.144
                                      cn=www.google.com alt=2 www.google.com
    DEBUG: .../IO/Socket/SSL.pm:1660: SSL connect attempt failed with unknown 
error
    DEBUG: .../IO/Socket/SSL.pm:624: fatal SSL error: SSL connect
                                     attempt failed with unknown error
                                     error:14090086:SSL
                                     
routines:SSL3_GET_SERVER_CERTIFICATE:certificate
                                     verify failed


Apparently, the paranoid HTTP(S) wrapper never passes the hostname to IO::SSL,
so it can't be verified.

The following diff fixes this for me.

diff --git a/lib/LWPx/Protocol/http_paranoid.pm 
b/lib/LWPx/Protocol/http_paranoid.pm
index bb98526..76a058d 100644
--- a/lib/LWPx/Protocol/http_paranoid.pm
+++ b/lib/LWPx/Protocol/http_paranoid.pm
@@ -65,6 +65,7 @@ sub _new_socket
             (time() - $request->{_timebegin}) :
             $timeout;
         $sock = $self->socket_class->new(PeerAddr => $addr,
+                                         PeerHost => $host,
                                          PeerPort => $port,
                                          Proto    => 'tcp',
                                          Timeout  => $conn_timeout,

I am not sure if this is the right place to fix this, though.

Cheers,
-Hilko


-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to