[RADIATOR] Net::LDAPS problem with Active Directory on port 636

Klara Mall klara.mall at kit.edu
Tue Nov 12 20:02:31 CST 2013 

Hi,

On Tue, Nov 12, 2013 at 10:55:12PM +0100, Klara Mall wrote:
> So is this a bug in IO::Socket::SSL?

Yes, I think so. In this module SSL variables which are not set are
overriden with global variables. But it seems for this one (the
identity is set to $host) it is too early. So I moved this code
block somewhat down which fixes it. (Although I'm wondering if the
identity should be overriden with a global variable at all.)

Fix for version 1.74 (Debian wheezy):

-----------------------------------------------------------
--- SSL.pm.orig	2013-11-13 02:11:46.752935483 +0100
+++ SSL.pm	2013-11-13 02:12:44.413920483 +0100
@@ -291,9 +291,6 @@
 		}
 	}
 
-	#Replace nonexistent entries with defaults
-	%$arg_hash = ( %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash );
-
 	#Avoid passing undef arguments to Net::SSLeay
 	defined($arg_hash->{$_}) or delete($arg_hash->{$_}) foreach (keys %$arg_hash);
 
@@ -327,6 +324,9 @@
 			return $rv;
 		};
 	}
+	
+	#Replace nonexistent entries with defaults
+	%$arg_hash = ( %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash );
 
 	${*$self}{'_SSL_arguments'} = $arg_hash;
 	${*$self}{'_SSL_ctx'} = IO::Socket::SSL::SSL_Context->new($arg_hash) || return;
-----------------------------------------------------------

Fix for recent version 1.959:

-----------------------------------------------------------
--- SSL.pm.orig	2013-11-13 02:05:17.658251025 +0100
+++ SSL.pm	2013-11-13 02:04:55.129862855 +0100
@@ -300,13 +300,6 @@
 	$is_server = $arg_hash->{SSL_server} = $arg_hash->{Listen} || 0;
     }
 
-    # add user defined defaults
-    %$arg_hash = (
-	%$GLOBAL_SSL_ARGS,
-	$is_server ? %$GLOBAL_SSL_SERVER_ARGS : %$GLOBAL_SSL_CLIENT_ARGS,
-	%$arg_hash
-    );
-
     my $ctx = $arg_hash->{'SSL_reuse_ctx'};
     if ($ctx) {
 	if ($ctx->isa('IO::Socket::SSL::SSL_Context') and
@@ -320,6 +313,13 @@
     # create context
     # this will fill in defaults in $arg_hash
     $ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash);
+    
+    # add user defined defaults
+    %$arg_hash = (
+	%$GLOBAL_SSL_ARGS,
+	$is_server ? %$GLOBAL_SSL_SERVER_ARGS : %$GLOBAL_SSL_CLIENT_ARGS,
+	%$arg_hash
+    );
 
     ${*$self}{'_SSL_arguments'} = $arg_hash;
     ${*$self}{'_SSL_ctx'} = $ctx;
-----------------------------------------------------------

Don't know if these fixes are ok, but they show where the problem
resides.

I want to report this to the module maintainers. Please tell if I'm
wrong somewhere.

As for my radiator configuration I will reconsider it. I think I
will find a way to only use SSL so that I have no mix of SSL and
TLS.

BTW: I just verified: with libnet-ldap-perl from Debian squeeze it
works. As it seems the reason is that the part of the
IO::Socket::SSL code with the identity is not used (no DEBUG
output for this).

Regards
Klara

-- 
Karlsruher Institut für Technologie (KIT)
Steinbuch Centre for Computing (SCC)

Klara Mall
Netze und Telekommunikation (NET)
Hermann-von-Helmholtz-Platz 1
76344 Eggenstein-Leopoldshafen
Telefon: +49 721 608-28630
Telefon: +49 721 608-48946
E-Mail: klara.mall at kit.edu
Web: http://www.scc.kit.edu

KIT - Universität des Landes Baden-Württemberg und
nationales Forschungszentrum in der Helmholtz-Gemeinschaft

More information about the radiator mailing list