Item14205: Autoconfig Email failing with recent versions of IO::Socket::SSL.
Priority: Urgent
Current State: Closed
Released In: 2.1.3
Target Release: patch
If tested with the normal STARTTLS, TLS, SMTP sequence, the wizard decides on TLS. It should be selecting STARTTLS. Below debug log is reported only if modifying the wizard to ONLY attempt STARTTLS.
IO::Socket::SSL 2.019 Works IO::Socket::SSL 2.024 fails, and the latest - IO::Socket::SSL 2.038 also fails.
It seems to be performing hostname verification even when verification is disabled.
Testing STARTTLS with NO host verification on smtp port (25) Net::SMTP>>> SSL peer verification: off
Net::SMTP>>> Provide Client Certificate: off
Net::SMTP<<< Connected with 192.168.1.8:25 using no encryption
Net::SMTP<<< 220 myserver ESMTP Postfix
Net::SMTP>>> EHLO myhost
Net::SMTP<<< 250-myserver
Net::SMTP<<< 250-PIPELINING
Net::SMTP<<< 250-SIZE 24480000
Net::SMTP<<< 250-ETRN
Net::SMTP<<< 250-STARTTLS
Net::SMTP<<< 250-AUTH PLAIN xxxxxxxxxxxxxxxx
Net::SMTP<<< 250-AUTH=PLAIN LOGIN
Net::SMTP<<< 250-ENHANCEDSTATUSCODES
Net::SMTP<<< 250-8BITMIME
Net::SMTP<<< 250 DSN
Net::SMTP>>> STARTTLS
Net::SMTP<<< 220 2.0.0 Ready to start TLS
DEBUG: .../IO/Socket/SSL.pm:1460: start handshake
DEBUG: .../IO/Socket/SSL.pm:649: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:682: using SNI with hostname 192.168.1.8
DEBUG: .../IO/Socket/SSL.pm:717: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:738: set socket to non-blocking to enforce timeout=30
DEBUG: .../IO/Socket/SSL.pm:764: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:774: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:794: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:2615: local error: hostname verification failed
DEBUG: .../IO/Socket/SSL.pm:757: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:757: ignoring less severe local error 'SSL connect attempt failed error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed', keep 'hostname verification failed' DEBUG: .../IO/Socket/SSL.pm:760: fatal SSL error: hostname verification failed
Although all connections were successful, the service is not speaking SMTP.
The most likely causes are that the server uses a non-standard port for SMTP, or your configuration erroneously specifies a non-SMTP port. Check your configuration; then check with your server support.
--
GeorgeClark - 02 Nov 2016
VadimBelman found the issue. It appears that in addition to setting
SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE()
, you also have to set
verify_hostname => 0
in the socket options. This also applies to Net.pm.
Also discovered while testing, that it was not possible to run the wizard from the
tools/configure
and get any output. For some reason the capture of STDERR is not being released.
- Changed AutoconfigureEmail.pm to bypass capture for CLI and undefined engine. No real need to capture STDERR anyway, just let it go to the console.
- Changed tools/configure to use STDOUT instead of STDERR. The output from the configure tool is not error output.
--
GeorgeClark - 03 Nov 2016
And now that I've locally fixed it and done further testing, fix doesn't work. STARTTLS still fails on recent IO::Socket::SSL.
--
GeorgeClark - 03 Nov 2016
And it seems to be more than just the hostname verification. Even with that code in SSL.pm commented out, it fails with the other connection errors. This does seem to be specific to the autoconfig code though, as a manually configured STARTSSL connection seems to work.
--
GeorgeClark - 03 Nov 2016
There are several things going on here:
- The capture code for some reason doesn't release the capture. Resolved it by implementing the MuteExec code written by VadimBelman in his branch.
- In recent versions of IO::Socket::SSL, it seems to always attempt validation, even when configured to not validate. No solution to that yet, but there were two issues contributing to the validation failures:
- The Host IP was used instead of hostname in the test. IP addresses won't pass certificate hostname validation.
- There was no code to guess the SSL CA certificate bundle or path. (Resolved by invoking the SSLCertificates Wizard to guess the paths when necessary.)
- The code was resetting the captured debug log for each try, so it was impossible to see why earlier attempts failed.
In investigating the SSLCertificates wizard, it was broken as well. Didn't really look in the right places, and depended upon env variables that were not set. Got that resolved so that it can be used by the autoconfigEmail wizard.
--
GeorgeClark - 07 Nov 2016