On Mon, 28 Apr 2025 12:26:52 +0000, Peter Palfrader wrote:
after upgrading to Debian 12, some of our tooling fell over with | Couldn't start TLS: hostname verification failed Turns out, Net::SMTP::TLS does not provide the hostname to the code that in the end tries to verify the CN, so that code in turn ends up using the socket endpoint IP address.
Thanks! Forwarded upstream as https://rt.cpan.org/Ticket/Display.html?id=164994 2 remarks:1) AFAIK Net::SMTP supports TLS since quite some time, so Net::SMTP::TLS might be unneeded by now.
2) Regarding the patch:
- if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
+ if(not IO::Socket::SSL::socket_to_SSL($me->{sock},
SSL_verifycn_name=>$me->{Host})){
croak "Couldn't start TLS:
".IO::Socket::SSL::errstr."\n";
Looking at IO::Socket::SSL's documentation (admittedly on my unstable machine):
socketToSSL() and socket_to_SSL()
use IO::Socket::SSL->start_SSL() instead
I see the point of keeping upstream's use of socket_to_SSL(); just
another hint that Net::SMTP::TLS smells a bit unfresh …
But yeah, adding this change looks like an improvement over the status quo.
Cheers, gregor -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe`-
signature.asc
Description: Digital Signature
