Net::LDAPS certificate verification fails in 6.8

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Net::LDAPS certificate verification fails in 6.8

Helmut Kiessling
Hi,

Seems I have issues receiving emails into my private email so can you kindly resend it to my work email instead? Original email below:

I hope you can point me correct direction with this strange behaviour in OpenBSD 6.8. So my script is using Perl library NET::LDAPS like below:
Row 85:  my $ldap = Net::LDAPS->new(localhost, port => 636, version => 3, verify => 'require', capath => /etc/openldap/certs )

When running the script it gives the following error:
# SSL connect attempt failed error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed at update.pl line 85, <DATA> line 960

And sure if I change verify => 'none' then it works but would be nice to get certs verified too.

Note, this same script works ok in OpenBSD 6.7.

Net::LDAPS version is  0.06 (I also have these installed Net::SSLeay 1.88 and IO::Socket::SSL 2.068 in case they are related)

Do you have any ideas?

Kind Regards,
Helmut Kiessling



The information contained in this email and any attachments may be confidential, legally privileged and/or exempt from disclosure under applicable law, and should be regarded, treated and protected as such. This email is intended solely for the recipient(s) named above. If you received this email in error, please reply to the sender and then delete it without further dissemination.
Reply | Threaded
Open this post in threaded view
|

Re: Net::LDAPS certificate verification fails in 6.8

Stuart Henderson
On 2021/02/01 08:44, Helmut Kiessling wrote:

> Hi,
>
> Seems I have issues receiving emails into my private email so can you kindly resend it to my work email instead? Original email below:
>
> I hope you can point me correct direction with this strange behaviour in OpenBSD 6.8. So my script is using Perl library NET::LDAPS like below:
> Row 85:  my $ldap = Net::LDAPS->new(localhost, port => 636, version => 3, verify => 'require', capath => /etc/openldap/certs )
>
> When running the script it gives the following error:
> # SSL connect attempt failed error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed at update.pl line 85, <DATA> line 960
>
> And sure if I change verify => 'none' then it works but would be nice to get certs verified too.
>
> Note, this same script works ok in OpenBSD 6.7.
>
> Net::LDAPS version is  0.06 (I also have these installed Net::SSLeay 1.88 and IO::Socket::SSL 2.068 in case they are related)
>
> Do you have any ideas?

Cert validation is broken in some cases in 6.8 (false failures, not
false positives). Depending on exactly which bug you run into, changing
your program from using capath to cafile might do the trick. Otherwise
the simplest workaround in most cases is to run -current where this is
likely to work.

Reply | Threaded
Open this post in threaded view
|

Re: Net::LDAPS certificate verification fails in 6.8

Theo Buehler-3
On Mon, Feb 01, 2021 at 09:44:07AM +0000, Stuart Henderson wrote:

> On 2021/02/01 08:44, Helmut Kiessling wrote:
> > Hi,
> >
> > Seems I have issues receiving emails into my private email so can you kindly resend it to my work email instead? Original email below:
> >
> > I hope you can point me correct direction with this strange behaviour in OpenBSD 6.8. So my script is using Perl library NET::LDAPS like below:
> > Row 85:  my $ldap = Net::LDAPS->new(localhost, port => 636, version => 3, verify => 'require', capath => /etc/openldap/certs )
> >
> > When running the script it gives the following error:
> > # SSL connect attempt failed error:1404B418:SSL routines:ST_CONNECT:tlsv1 alert unknown ca error:14FFF086:SSL routines:(UNKNOWN)SSL_internal:certificate verify failed at update.pl line 85, <DATA> line 960
> >
> > And sure if I change verify => 'none' then it works but would be nice to get certs verified too.
> >
> > Note, this same script works ok in OpenBSD 6.7.
> >
> > Net::LDAPS version is  0.06 (I also have these installed Net::SSLeay 1.88 and IO::Socket::SSL 2.068 in case they are related)
> >
> > Do you have any ideas?
>
> Cert validation is broken in some cases in 6.8 (false failures, not
> false positives). Depending on exactly which bug you run into, changing
> your program from using capath to cafile might do the trick. Otherwise
> the simplest workaround in most cases is to run -current where this is
> likely to work.
>

We will release a syspatch for 6.8 that will likely fix this in the next few
days.