Hi, On Tue, Nov 12, 2013 at 10:55:12PM +0100, Klara Mall wrote: > So is this a bug in IO::Socket::SSL?
Yes, I think so. In this module SSL variables which are not set are overriden with global variables. But it seems for this one (the identity is set to $host) it is too early. So I moved this code block somewhat down which fixes it. (Although I'm wondering if the identity should be overriden with a global variable at all.) Fix for version 1.74 (Debian wheezy): ----------------------------------------------------------- --- SSL.pm.orig 2013-11-13 02:11:46.752935483 +0100 +++ SSL.pm 2013-11-13 02:12:44.413920483 +0100 @@ -291,9 +291,6 @@ } } - #Replace nonexistent entries with defaults - %$arg_hash = ( %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash ); - #Avoid passing undef arguments to Net::SSLeay defined($arg_hash->{$_}) or delete($arg_hash->{$_}) foreach (keys %$arg_hash); @@ -327,6 +324,9 @@ return $rv; }; } + + #Replace nonexistent entries with defaults + %$arg_hash = ( %default_args, %$GLOBAL_CONTEXT_ARGS, %$arg_hash ); ${*$self}{'_SSL_arguments'} = $arg_hash; ${*$self}{'_SSL_ctx'} = IO::Socket::SSL::SSL_Context->new($arg_hash) || return; ----------------------------------------------------------- Fix for recent version 1.959: ----------------------------------------------------------- --- SSL.pm.orig 2013-11-13 02:05:17.658251025 +0100 +++ SSL.pm 2013-11-13 02:04:55.129862855 +0100 @@ -300,13 +300,6 @@ $is_server = $arg_hash->{SSL_server} = $arg_hash->{Listen} || 0; } - # add user defined defaults - %$arg_hash = ( - %$GLOBAL_SSL_ARGS, - $is_server ? %$GLOBAL_SSL_SERVER_ARGS : %$GLOBAL_SSL_CLIENT_ARGS, - %$arg_hash - ); - my $ctx = $arg_hash->{'SSL_reuse_ctx'}; if ($ctx) { if ($ctx->isa('IO::Socket::SSL::SSL_Context') and @@ -320,6 +313,13 @@ # create context # this will fill in defaults in $arg_hash $ctx ||= IO::Socket::SSL::SSL_Context->new($arg_hash); + + # add user defined defaults + %$arg_hash = ( + %$GLOBAL_SSL_ARGS, + $is_server ? %$GLOBAL_SSL_SERVER_ARGS : %$GLOBAL_SSL_CLIENT_ARGS, + %$arg_hash + ); ${*$self}{'_SSL_arguments'} = $arg_hash; ${*$self}{'_SSL_ctx'} = $ctx; ----------------------------------------------------------- Don't know if these fixes are ok, but they show where the problem resides. I want to report this to the module maintainers. Please tell if I'm wrong somewhere. As for my radiator configuration I will reconsider it. I think I will find a way to only use SSL so that I have no mix of SSL and TLS. BTW: I just verified: with libnet-ldap-perl from Debian squeeze it works. As it seems the reason is that the part of the IO::Socket::SSL code with the identity is not used (no DEBUG output for this). Regards Klara -- Karlsruher Institut für Technologie (KIT) Steinbuch Centre for Computing (SCC) Klara Mall Netze und Telekommunikation (NET) Hermann-von-Helmholtz-Platz 1 76344 Eggenstein-Leopoldshafen Telefon: +49 721 608-28630 Telefon: +49 721 608-48946 E-Mail: klara.m...@kit.edu Web: http://www.scc.kit.edu KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator