I'm trying to send email with Perl. My code works fine with Yahoo's SMTP server but when I try to use another SMTP server (with a self-signed SSL certificate), I get this error:
Couldn't start TLS: SSL connect attempt failed because of handshake problems error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
at mail2.pl line 2.
My code is:
use Net::SMTP::TLS;
my $mailer = new Net::SMTP::TLS(
'mail.SomeHost.com',
Hello => 'mail.SomeHost.com',
Port => 587,
User => 'info#SomeHost.com',
Password=> '123456789'
);
$mailer->mail('info#SomeHost.com');
$mailer->to('info#SomeHost.com');
$mailer->data();
$mailer->datasend("From: info#SomeHost.com\n");
$mailer->datasend("To: info#SomeHost.com\n");
$mailer->datasend("Subject: test\n");
$mailer->datasend("Content-type: text/html\n\n");
$mailer->datasend("\n");
$mailer->datasend("<html><body><p>hi text</p><br></body></html>\n");
$mailer->dataend();
$mailer->quit;
How can I fix this?
Result with -MIO::Socket::SSL=debug4:
DEBUG: .../IO/Socket/SSL.pm:2537: new ctx 17003088
DEBUG: .../IO/Socket/SSL.pm:1343: start handshake
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:589: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=5
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> 0
DEBUG: .../IO/Socket/SSL.pm:701: connection failed - connect returned 0
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed because of handshake problems
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed because of handshake problems
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:2570: free ctx 17003088 open=17003088
DEBUG: .../IO/Socket/SSL.pm:2575: free ctx 17003088 callback
DEBUG: .../IO/Socket/SSL.pm:2582: OK free ctx 17003088 Couldn't start TLS:
SSL connect attempt failed because of handshake problems
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure at mail2.pl line 2.
Related
Software:
Homegrown Perl-5.34.1 (not perlbrew)
Net-SSLeay 1.92
IO-Socket-SSL 2.074
[Apologies for lack of pastebin, no access from this location]
The "proxy tunnel" is HTTP, but the local firewall rules require
that the connection be initiated with 'https'.
Making the connection via IO::Socket::INET and promoting it or
sans handshake and performing it late don't seem to work around
the proxy/tunnel issues, so I'm guessing this must require a
separate socket.
Q: What is a working approach for handling the "http proxy tunnel"
using IO::Socket::SSL, possibly with some other modules?
I'd prefer to avoid LWP::UserAgent if its possible, I just cannot
find anything on CPAN that seems to deal with the issues.
Examples:
(1) curl --verbose
Attempting a connection from a RHEL6 platform through an intranet
firewall to an HTTPS service. The service is a 'hello world' server
intended to validate the SSL connection. It works from Firefox on an
intranet host (not the same one as I'm using for IO::Socket:SSL).
Using curl fails to connect, but shows the "proxy tunnel" (hosts and
IP's munged).
curl --verbose 'https://foo.bar.net/bim/bam'
* Trying 10.10.10.10...
* Connected to 10.10.10.10 (10.10.10.10) port 80 (#0)
* Establish HTTP proxy tunnel to foo.bar.net:443
> CONNECT foo.bar.net:443 HTTP/1.1
> Host: foo.bar.net:443
> User-Agent: curl/7.44.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 503 Service Unavailable
< Cache-Control: no-cache
< X-XSS-Protection: 1
< Connection: close
< Content-Type: text/html; charset=utf-8
< Content-Length: 750
< Pragma: no-cache
< Set-Cookie: frobnicate; path=/; Httponly
<
* Received HTTP code 503 from proxy after CONNECT
* Closing connection 0
curl: (56) Received HTTP code 503 from proxy after CONNECT
(2) IO:Socket::SSL alone
The tunnel doesn't appear to be transparent:
41: $IO::Socket::SSL::DEBUG = 3;
42: IO::Socket::SSL->new
43: (
44: PeerAddr => $auth
45: , PeerPort => 'https'
46: )
DB<1>
DEBUG: .../IO/Socket/SSL.pm:2961: new ctx 54179840
DEBUG: .../IO/Socket/SSL.pm:704: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:706: socket connected
DEBUG: .../IO/Socket/SSL.pm:729: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:771: using SNI with hostname foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:806: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:836: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2852: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2805: ok=0 [0] /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1/C=US/ST=New York/L=Someplace/O=Foo Bar, Inc./CN=foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:839: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:842: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:845: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...inux/IO/Socket.pm:50: ignoring less severe local error 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:3010: free ctx 54179840 open=
DEBUG: .../IO/Socket/SSL.pm:3014: free ctx 54179840 callback
DEBUG: .../IO/Socket/SSL.pm:3021: OK free ctx 54179840
not ok 1 - Direct: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.
The POD for IO::Socket::SSL has two suggestions for possibly working
around this situation:
(3) INET socket + Promotion:
my $sock = IO::Socket::INET->new(...) or die $!;
IO::Socket::SSL->start_SSL($sock,%sslargs) or die $SSL_ERROR;
$sock->stop_SSL or die $SSL_ERROR;
41: my $sock
42: = IO::Socket::INET->new
43: (
44: PeerAddr => $auth
45: , PeerPort => 'https'
46: )
47: or die "INET: $IO::Socket::errstr\n";
49: IO::Socket::SSL->start_SSL
50: (
51: $sock
52: , 'PeerPort' => 'https'
53: )
54: or die "SSL: $SSL_ERROR\n";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:2961: new ctx 58865232
DEBUG: .../IO/Socket/SSL.pm:1561: start handshake
DEBUG: .../IO/Socket/SSL.pm:729: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:774: not using SNI because hostname is unknown
DEBUG: .../IO/Socket/SSL.pm:806: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:836: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2852: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2805: ok=0 [0] /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1/C=US/ST=New York/L=Edgewood/O=Foo Bar, Inc./CN=foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:839: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:842: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:845: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1984: downgrading SSL only, not closing socket
DEBUG: .../IO/Socket/SSL.pm:3010: free ctx 58865232 open=
DEBUG: .../IO/Socket/SSL.pm:3014: free ctx 58865232 callback
DEBUG: .../IO/Socket/SSL.pm:3021: OK free ctx 58865232
BRCC::FM::Test::(bin/socket-check:55):
(4) SSL socket with delayed handshake:
41: my $sock
42: = IO::Socket::SSL->new
43: (
44: PeerAddr => $auth
45: , PeerPort => 'https'
46: , SSL_startHandshake => 0
47: )
48: or die "SSL: $SSL_ERROR";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:2961: new ctx 43293280
DEBUG: .../IO/Socket/SSL.pm:704: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:706: socket connected
BRCC::FM::Test::(bin/socket-check:50):
50: $sock->connect_SSL
51: or die "Connect: $SSL_ERROR";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:729: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:771: using SNI with hostname foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:806: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:836: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2852: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2805: ok=0 [0] /C=US/O=DigiCert Inc/CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1/C=US/ST=New York/L=Edgewood/O=Foo Bar, Inc./CN=foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:839: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:842: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:842: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:845: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:3010: free ctx 43293280 open=
DEBUG: .../IO/Socket/SSL.pm:3014: free ctx 43293280 callback
DEBUG: .../IO/Socket/SSL.pm:3021: OK free ctx 43293280
(5) Disabling SSL_verify_mode didn't get much further with ssl_handshake turned on:
41: my $sock
42: = IO::Socket::SSL->new
43: (
44: PeerAddr => $auth
45: , PeerPort => 'https'
46: , SSL_startHandshake => 1
47: , SSL_verify_mode => 0
48: )
49: or die "SSL: $SSL_ERROR";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:2537: new ctx 50291120
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname foo.bar.com
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:1758: IO::Socket::INET configuration failed
DEBUG: .../IO/Socket/SSL.pm:2570: free ctx 50291120 open=50291120
DEBUG: .../IO/Socket/SSL.pm:2582: OK free ctx 50291120
(6) Delaying the handshake gets the same result:
41: my $sock
42: = IO::Socket::SSL->new
43: (
44: PeerAddr => $auth
45: , PeerPort => 'https'
46: , SSL_startHandshake => 0
47: , SSL_verify_mode => 0
48: )
49: or die "SSL: $SSL_ERROR";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:2537: new ctx 42963376
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
BRCC::FM::Test::(bin/socket-check:51):
51: $sock->connect_SSL
52: or die "Connect: $SSL_ERROR";
DB<1>
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname foo.bar.net
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
DEBUG: .../IO/Socket/SSL.pm:2570: free ctx 42963376 open=42963376
DEBUG: .../IO/Socket/SSL.pm:2582: OK free ctx 42963376
I have a simple perl script that uses LWP::UserAgent to connect to a secure site. It works fine. When I use Mojo::UserAgent, it fails to validate the certificate. This is reliable and repeatable. The basic Perl code is:
use strict;
use warnings;
use IO::Socket::SSL 1.980;
use LWP::UserAgent;
use Mojo::UserAgent;
$IO::Socket::SSL::DEBUG=3;
my $dst = "<DOMAIN>";
my $url = "<URL-AT-DOMAIN>";
my $A_OR_B = 1;
my $ua;
if ($A_OR_B) {
$ua = Mojo::UserAgent->new();
$ua->connect_timeout(20);
} else {
$ua = LWP::UserAgent->new();
}
my $resp = $ua->get($url);
if ($A_OR_B) {
print $resp->result->message;
print $resp;
} else {
print $resp->status_line."\n";
}
The output from the IO::Socket debugging is:
For the Mojo (failure):
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 48892560
DEBUG: .../IO/Socket/SSL.pm:1638: don't start handshake: IO::Socket::SSL=GLOB(0x2e957d8)
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:829: using SNI with hostname <DOMAIN>
DEBUG: .../IO/Socket/SSL.pm:864: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2911: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2864: ok=0 [3] /O=Digital Signature Trust Co./CN=DST Root CA X3/O=Digital Signature Trust Co./CN=DST Root CA X3
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:900: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:900: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:903: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 48892560 open=
DEBUG: .../IO/Socket/SSL.pm:3063: free ctx 48892560 callback
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 48892560
SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
at /home/briefly/bad.pl line 26.
and the output for the LWP version (success), is:
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 41136976
DEBUG: .../IO/Socket/SSL.pm:762: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:764: socket connected
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:829: using SNI with hostname <DOMAIN>
DEBUG: .../IO/Socket/SSL.pm:864: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:880: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:917: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:937: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2911: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:917: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:937: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [2] /C=US/O=Internet Security Research Group/CN=ISRG Root X1/C=US/O=Internet Security Research Group/CN=ISRG Root X1
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [1] /C=US/O=Internet Security Research Group/CN=ISRG Root X1/C=US/O=Let's Encrypt/CN=R3
DEBUG: .../IO/Socket/SSL.pm:2864: ok=1 [0] /C=US/O=Let's Encrypt/CN=R3/CN=tls.automattic.com
DEBUG: .../IO/Socket/SSL.pm:1840: scheme=www cert=41975232
DEBUG: .../IO/Socket/SSL.pm:1850: identity=< **VERY LONG LIST OF DOMAINS** >
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:917: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:937: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:952: ssl handshake done
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 41136976 open=
DEBUG: .../IO/Socket/SSL.pm:3063: free ctx 41136976 callback
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 41136976
200 OK
Does anyone have any insights?
I would suggest that LWP:UserAgent and Mojo::UserAgent use different trust stores. LWP::UserAgent will default to using Mozilla::CA while Mojo::UserAgent not. Try to enforce the use of Mozilla::CA with Mojo::UserAgent with
$ua->ca(Mozilla::CA::SSL_ca_file());
I do request to https://bank.gov.ua
my $ua = Mojo::UserAgent->new;
$ua->get("https://bank.gov.ua/NBUStatService/v1/statdirectory/exchange?valcode=EUR&date=$date_now&json");
And get error:
DEBUG: .../IO/Socket/SSL.pm:3010: new ctx 146452496
DEBUG: .../IO/Socket/SSL.pm:1638: don't start handshake: IO::Socket::SSL=GLOB(0xc955978)
DEBUG: .../IO/Socket/SSL.pm:787: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:829: using SNI with hostname bank.gov.ua
DEBUG: .../IO/Socket/SSL.pm:864: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:907: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:894: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:897: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:900: local error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:903: fatal SSL error: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:3059: free ctx 146452496 open=
DEBUG: .../IO/Socket/SSL.pm:3063: free ctx 146452496 callback
DEBUG: .../IO/Socket/SSL.pm:3070: OK free ctx 146452496
I can do request with curl from this host to give url with no problem.
Does any know what problem is when I do this via IO::Socket::SSL (Mojo::UserAgent)?
This server is pretty strange:
the first request with openssl s_client -connect bank.gov.ua:443 fails with the server simply closing the connection: "SSL handshake has read 0 bytes and written 303 bytes"
the Mojo::UserAgent code fails too
doing a request with an explicit TLS 1.2 succeeds: openssl s_client -connect bank.gov.ua:443 -tls1_2
trying the first request again suddenly succeeds too
an the Mojo::UserAgent code now succeeds too
My only explanation is some firewall or load balancer which temporarily white lists an IP address in case it has seen a valid TLS ClientHello - and which considers TLS 1.3 not a valid one.
I am very new to this type of thing and not sure what I am doing wrong.
Inside Mojolicious app, I am battling to connect to the Apple Push Notification SSL Socket. I would like to send a push notification to an app.
Debug Information:
DEBUG: .../IO/Socket/SSL.pm:2700: new ctx 138351632
DEBUG: .../IO/Socket/SSL.pm:612: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:614: socket connected
DEBUG: .../IO/Socket/SSL.pm:636: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:669: using SNI with hostname gateway.push.apple.com
DEBUG: .../IO/Socket/SSL.pm:704: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:736: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2601: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2554: ok=0 [1] /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
DEBUG: .../IO/Socket/SSL.pm:739: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:742: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:742: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:745: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...5.18/IO/Socket.pm:48: ignoring less severe local error 'IO::Socket::IP configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2733: free ctx 138351632 open=138351632
DEBUG: .../IO/Socket/SSL.pm:2738: free ctx 138351632 callback
DEBUG: .../IO/Socket/SSL.pm:2745: OK free ctx 138351632
Code snip bit:
use IO::Socket::SSL qw(debug3);
my $cl = IO::Socket::SSL->new(
PeerHost => 'gateway.push.apple.com',
# PeerHost => 'gateway.sandbox.push.apple.com',
PeerPort => '2195',
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_file => '/var/www/foo/bar/cert/ck.pem',
);
I'm not sure where to go or what to do from here?
I figured it out: I was using the incorrect pass phrase! I was able to implement the much simpler perl module Net::APNS
use Net::APNS;
my %settings = (
cert => "$Cert_file",
key => "$Cert_key_file",
passwd => "$passphrase",
);
if(my $Notifier = Net::APNS->new->notify(\%settings)) {
$Notifier->write({
devicetoken => "$device_token",
message => "$message",
sound => 'default',
badge => 1
});
return 1 if defined($Notifier) and ref($Notifier) eq "Net::APNS::Notification";
}
Thank you for all your input!
I am running Debian Jessie. I have a script that was working perfectly a couple of weeks ago on a virtual machine but has now stopped working suddenly. I can't think of any perl module updates I made that would have broken this. And if I run the script from another Jessie server, it works fine.
Here is the relevant code:
use LWP::UserAgent;
my $browser = LWP::UserAgent->new;
my $url = 'https://api.vimeo.com/oauth/authorize/client';
my $response = $browser->post($url, { grant_type => 'client_credentials' }, 'Authorization' => ' basic ' . encode_base64('CLIENT_ID:CLIENT_SECRET') );
if ($response->code ne '200') {
logf("There was a problem with the server response from Vimeo while requesting an access token.\nServer response: " . $response->decoded_content);
}
The error thrown is coming from /usr/share/perl5/LWP/Protocol/http.pm line 49 and reads: Can't connect to api.vimeo.com:443
When I run the script with use IO::Socket::SSL qw(debug3); here's what I get for output:
DEBUG: .../IO/Socket/SSL.pm:2537: new ctx 56137248
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname api.vimeo.com
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=58104432
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=59040416
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=58950080
DEBUG: .../IO/Socket/SSL.pm:1548: scheme=www cert=58950080
DEBUG: .../IO/Socket/SSL.pm:1558: identity=api.vimeo.com cn=*.vimeo.com alt=2 *.vimeo.com 2 vimeo.com
DEBUG: .../IO/Socket/SSL.pm:2443: got stapled OCSP response
run basic verify at /usr/share/perl5/IO/Socket/SSL.pm line 2450.
found issuer in chain at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
got issuer at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname api.vimeo.com
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=58104432
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=61018848
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1548: scheme=www cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1558: identity=api.vimeo.com cn=*.vimeo.com alt=2 *.vimeo.com 2 vimeo.com
DEBUG: .../IO/Socket/SSL.pm:2443: got stapled OCSP response
run basic verify at /usr/share/perl5/IO/Socket/SSL.pm line 2450.
found issuer in chain at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
got issuer at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname api.vimeo.com
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=58104432
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=59035200
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1548: scheme=www cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1558: identity=api.vimeo.com cn=*.vimeo.com alt=2 *.vimeo.com 2 vimeo.com
DEBUG: .../IO/Socket/SSL.pm:2443: got stapled OCSP response
run basic verify at /usr/share/perl5/IO/Socket/SSL.pm line 2450.
found issuer in chain at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
got issuer at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:529: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:531: socket connected
DEBUG: .../IO/Socket/SSL.pm:553: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:586: using SNI with hostname api.vimeo.com
DEBUG: .../IO/Socket/SSL.pm:621: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:640: set socket to non-blocking to enforce timeout=180
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=58104432
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=59044736
DEBUG: .../IO/Socket/SSL.pm:2393: ok=1 cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1548: scheme=www cert=61025968
DEBUG: .../IO/Socket/SSL.pm:1558: identity=api.vimeo.com cn=*.vimeo.com alt=2 *.vimeo.com 2 vimeo.com
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:663: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:673: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:693: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2443: got stapled OCSP response
run basic verify at /usr/share/perl5/IO/Socket/SSL.pm line 2450.
found issuer in chain at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
got issuer at /usr/share/perl5/IO/Socket/SSL.pm line 2457.
DEBUG: .../IO/Socket/SSL.pm:653: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1769: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:1774: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:659: fatal SSL error: SSL connect attempt failed error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid
DEBUG: .../IO/Socket/SSL.pm:1758: IO::Socket::IP configuration failed
DEBUG: .../IO/Socket/SSL.pm:2570: free ctx 56137248 open=56137248
DEBUG: .../IO/Socket/SSL.pm:2575: free ctx 56137248 callback
DEBUG: .../IO/Socket/SSL.pm:2582: OK free ctx 56137248
The the $browser user agent is able to successfully execute a get request https://facebook.com without issue. It just doesn't seem to work for Vimeo.
fatal SSL error: ... :OCSP_check_validity:status not yet valid
Vimeo uses OCSP stapling to ease revocation checks but attaches a OCSP response which your system considers as not yet valid. It might be that the time on your system is wrong so that it thinks that the timestamp in the response is in the future, whereas it is in the present.
And if I run the script from another Jessie server, it works fine.
If both servers run the same software then I guess that the problematic server has the wrong time.