UNCLASSIFIED
Hey Guys,
I think there is a problem with Net::LDAP using start_tls with later
versions of IO::Socket::SSL. I've just tryed to get perl-ldap-0.43
working with IO-Socket-SSL-1.49, but I kept getting
"LDAP_OPERATIONS_ERROR" errors, which didn't have any detail. By tracing
through the code, at about line 1043:
if ($sock_class ne ref($sock)) {
$err = $sock->errstr;
bless $sock, $sock_class;
}
print "ERR: $err\n";
_error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $err);
The actual value of $err was "Cannot determine peer hostname for
verificationerror:00000000:lib(0):func(0):reason(0)", which didn't seem
to be reported back when I did a:
$result = $ldap->start_tls(%ssl);
if ($result->is_error()){
print $result->error_name().":
".$result->error_desc()."\n".$result->error_text()."\n";
}
(It just said operations error, which was hard to determine the cause).
So it seems that IO::Socket::SSL 1.49 does some extra checking of peers
at IO-Socket-SSL-1.49 IO/Socket/SSL.pm line 284. I think it is expecting
'PeerHost' or 'PeerAddr' to be passed (or scheme to be 'none' or a
coderef), which Net::LDAP isn't doing in _SSL_context_init_args?
Anyway, long story short, by backgrading IO::Socket::SSL to v1.06, the
issue seems to go away, as these sort of checks are not performed at all
in older versions of the module.
Cheers,
-Matt
IMPORTANT: This email remains the property of the Department of Defence
and is subject to the jurisdiction of section 70 of the Crimes Act 1914.
If you have received this email in error, you are requested to contact
the sender and delete the email.
