Re: Net::LDAP fails with later versions of IO::Socket::SSL [SEC=UNCLASSIFIED]

Fri, 04 Nov 2011 05:33:17 -0700 

Hi Matt,

please have a look at the patches in
* https://github.com/gbarr/perl-ldap/pull/3
* https://github.com/gbarr/perl-ldap/pull/4
on Graham's perl-ldap git repository.

In addition to fixing the issue they should add a few other minor glitches as 
well as adding some new Controls.

The former one is already included in the next branch of the perl-ldap repo.
For ther latter I'm still hoping that Graham will do the same, and after that
realease a new version.

It would be cool you reported feedback on the mailing list

Peter


On Wednesday, 2. November 2011, Hart, Matthew MR 2 wrote:
> UNCLASSIFIED
> 
> Hey Guys,
> 
> I think there is a problem with Net::LDAP using start_tls with later
> versions of IO::Socket::SSL. I've just tryed to get perl-ldap-0.43
> working with IO-Socket-SSL-1.49, but I kept getting
> "LDAP_OPERATIONS_ERROR" errors, which didn't have any detail. By tracing
> through the code, at about line 1043:
> 
>   if ($sock_class ne ref($sock)) {
>     $err = $sock->errstr;
>     bless $sock, $sock_class;
>   }
> 
>   print "ERR: $err\n";
> 
>   _error($ldap, $mesg, LDAP_OPERATIONS_ERROR, $err);
> 
> The actual value of $err was "Cannot determine peer hostname for
> verificationerror:00000000:lib(0):func(0):reason(0)", which didn't seem
> to be reported back when I did a:
> 
> $result = $ldap->start_tls(%ssl);
> if ($result->is_error()){
>     print $result->error_name().":
> ".$result->error_desc()."\n".$result->error_text()."\n";
> }
> 
> 
> (It just said operations error, which was hard to determine the cause).
> 
> So it seems that IO::Socket::SSL 1.49 does some extra checking of peers
> at IO-Socket-SSL-1.49 IO/Socket/SSL.pm line 284. I think it is expecting
> 'PeerHost' or 'PeerAddr' to be passed (or scheme to be 'none' or a
> coderef), which Net::LDAP isn't doing in _SSL_context_init_args?
> 
> Anyway, long story short, by backgrading IO::Socket::SSL to v1.06, the
> issue seems to go away, as these sort of checks are not performed at all
> in older versions of the module.
> 
> Cheers,
> 
> -Matt
> 
> 
> 
> IMPORTANT: This email remains the property of the Department of Defence
> and is subject to the jurisdiction of section 70 of the Crimes Act 1914.
> If you have received this email in error, you are requested to contact
> the sender and delete the email.


-- 
Peter Marschall
pe...@adpm.de

Reply via email to