Item12279: Net::SMTP::SSL Email fails with SSL_verify_mode error on recent versions of IO::Socket::SSL

With the latest versions of IO::Socket::SSL, Net::SMTP::SSL fails with the following:

>>>> FAILURE Sending e-mail to  some@address  - 
*******************************************************************
 Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
 is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
 together with SSL_ca_file|SSL_ca_path for verification.
 If you really don't want to verify the certificate and keep the
 connection open to Man-In-The-Middle attacks please set
 SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************

The authors of IO::Socket::SSL made a rather unfortunate change in version 1.79, to carp if the option of SSL_verify_mode is left to default as SSL_VERIFY_NONE. And since Net::SMTP (as used by Net::SMTP::SSL) does not permit any options to be passed other than the options documented by Net::SMTP, we don't have any local solution to resolve this.

It's true that not verifying server certificates leaves one open to Man-in-the-Middle attacks. But to make the change like this without any coordination with something as fundamental as libnet is rather ugly.

Looking at CPAN, libnet (Net::SMTP) has not been maintained in several years. I opened a bug against Net::SMTP::SSL, (https://rt.cpan.org/Public/Bug/Display.html?id=81594) but the fix really is needed in Net::SMTP. To fix this right, Net::SMTP would need to pass through any of the SSL_* options, so that things like the ca file or path can also be specified. Since the option is verified when Net:SMTP::SSL->new() creates the socket, there really seem to be no other way around this other than a code change.

I've posted the workarounds we've found at http://foswiki.org/Support/Faq69#Error:_61Default_SSL_verify_mode_deprecated_61

Once Net::SMTP and/or Net::SMTP::SSL are fixed, we need to enhance Foswiki::Net to pass the verify option, and the necessary SSL_ca information to permit certificate validation.

-- GeorgeClark - 01 Dec 2012

This can be fixed in Net.pm without external help - if esthetics aren't a concern. Then again, the internals of Net::SMTP::SSL are not at all pretty.

Investigation shows that the current code has other issues:

• TLS support depends on a broken module
• SSLv2 is accepted (and should not be)
• Ports are not defaulted sensibly
• STARTTLS is not supported at all.
• Manual configuration is ugly and error prone - George says #1 setup issue for new users.

Fix for all these is in the testing queue. Updated this item to reflect WIP.

The work-arounds topic should probably be updated to reflect the fact that the suggestions there are temporary.

As for additional options for verify type, ca, client cert, etc - agree, but that probably should be a separate feature proposal...

-- TimotheLitt - 02 Dec 2012

The fix I checked in for 1.1x is a minimal subset of a larger set of improvements on trunk. It makes verify none work, but does not address other verify types as it's intended as a hotfix. The other verify types should be implemented under another task, so I marked this one "waiting for release".

-- TimotheLitt - 14 Dec 2012

The other verify types (Host and Client) and Trust authority sources have been implemented in Trunk, but won't be backported to earlier releases - the implementation is complex due to the work-arounds necessary to sneak past Net::SMTP(::SSL), and all the checkers I added to make it simple for the user. (They rely on the feedback framework.)

-- TimotheLitt - 15 Dec 2012

Commenting is disabled while not logged in