GithubHelp home page GithubHelp logo

p5-io-socket-ssl's Introduction

IO::Socket::SSL is a class implementing an object oriented
interface to SSL sockets. The class is a descendent of

In order to use IO::Socket::SSL you need to have Net::SSLeay
v1.46 or newer installed.

To use ECDH curves (needed for perfect forward secrecy) you need
to use Net::SSLeay >= 1.56.

To use OCSP to check for certificate revocations you need
OpenSSL 1.0.0 or better and Net::SSLeay>=1.59.

For those who do not have a built-in random number generator
(including most users of Solaris), you should install one
before attempting to install IO::Socket::SSL.  If you don't
already have a favorite, try "egd" ( or
one of the other "Related Projects" listed on its home page.
If you want to bypass the test for existence of the RNG, then
set the "SKIP_RNG_TEST" environment variable to a true value.

In addition to providing a general OO interface to SSL sockets,
this package can be used with libwww-perl.

	perl Makefile.PL
	make test
	make install

Steffen Ullrich, Steffen_Ullrich at
Peter Behroozi, behrooz at
(Originally by Marko Asplund, marko.asplund at

p5-io-socket-ssl's People


akhuettel avatar andygrundman avatar bluhm avatar chorny avatar choroba avatar crisman avatar dgl avatar eserte avatar genuaboro avatar hubandr avatar intrigeri avatar jddurand avatar jelu avatar jonasbn avatar jwilk avatar kovdavid avatar manwar avatar notroj avatar noxxi avatar odenbach avatar ppisar avatar scop avatar steve-m-hay avatar stoecker avatar tmalkowski avatar upasana-me avatar yaribz avatar yoshikazusawa avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

p5-io-socket-ssl's Issues

t/auto_verify_hostname.t hangs if URI is not present.

Our RPM suite is hanging building IO::Socket::SSL if URI is not installed.

Based on the requirements from Makefile.PL, only these rpms need to be present to run the test suite for IO::Socket::SSL.


However Until I hadd URI as a dep, the test suite hangs while running t/auto_verify_hostname.t.

Is this a known issue?

Reliable read, better handling of SSL *_WANT_* situations

I noticed, that getline() often returns undefined, although data is available.

The reason is, that readline() andles EINTR and EWOULDBLOCK, but must also handle ERROR_WANT_READ and ERROR_WANT_WRITE. A good example as a starting point is Net::SSLeay::ssl_read_all():

sub ssl_read_all {
    my ($ssl,$how_much) = @_;
    $how_much = 2000000000 unless $how_much;
    my ($got, $rv, $errs);
    my $reply = '';

    while ($how_much > 0) {
        ($got, $rv) = Net::SSLeay::read($ssl,
                ($how_much > 32768) ? 32768 : $how_much
        if (! defined $got) {
            my $err = Net::SSLeay::get_error($ssl, $rv);
            if ($err != Net::SSLeay::ERROR_WANT_READ() and
                $err != Net::SSLeay::ERROR_WANT_WRITE()) {
                $errs = print_errs('SSL_read');
        $how_much -= blength($got);
        debug_read(\$reply, \$got) if $trace>1;
        last if $got eq '';  # EOF
        $reply .= $got;

    return wantarray ? ($reply, $errs) : $reply;

Maybe Net::SSLeay::ssl_read_until() can be used which internally calls ssl_read_all. And for getline() something like Net::SSLeay::ssl_read_CRLF()?

I only looked at Net::SSLeay current dev version, not sure what of that is available in latest stable.

Trouble with Mojo::IOLoop::TLS

I have error when trying to do two concurrent requests which upgrades to tls.

use Mojo::Base -strict;

use Mojo::IOLoop;
use Mojo::IOLoop::TLS;
use Mojo::IOLoop::Client;
use Mojo::IOLoop::Server;

#$IO::Socket::SSL::DEBUG = 3;

my $server = Mojo::IOLoop::Server->new;
my $client = Mojo::IOLoop::Client->new;

my ($server_handle, $client_handle);
my ($client_stream, $server_stream);

sub upgrade_handle {
  my ($handle, $is_server, $cb) = @_;
  my $tls = Mojo::IOLoop::TLS->new($handle);
  $tls->on(upgrade => sub { $cb->(pop) });
  $tls->on(error => sub { warn pop });
  $tls->negotiate(server => $is_server);

sub upgrade_handles {
    sub {
      my $d = shift;
      upgrade_handle($server_handle, 1, $d->begin(0));
      upgrade_handle($client_handle, 0, $d->begin(0));
    }, sub {
      my ($d, $server_handle, $client_handle) = @_;

      say 'YEAH';

      Mojo::IOLoop->singleton->reactor->io($server_handle => sub {})->watch($server_handle, 1, 0);
      Mojo::IOLoop->singleton->reactor->io($client_handle => sub {})->watch($client_handle, 1, 0);

$client->on(connect => sub {
  $client_handle = pop;
  Mojo::IOLoop->timer(0.1 => sub { upgrade_handles() });

$client->on(error => sub { warn pop });

$server->on(accept => sub {
  $server_handle = pop;
  $client->connect(address => '', port => 443);

$server->listen(port => 8443);

I have this errors when run this script

$ perl 
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Client send message with that request

$ curl -k ""

I try to discuss this problem in mojo irc channel, but nobody understand me.

When i enable debug mode for IO::Socket::SSL, i see output like that:

connect -> -1
accept -> -1
accept -> -1
accept -> 1
handshake done, socket ready
connect -> -1
local error: SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
accpet -> -1
local error: SSL accept attempt failed error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
accept -> -1
connect -> -1
connect -> 1
ssl handshake done

So, after accept ssl handshake IO::Socket::SSL begin accept it again.

If comment client upgrade or server upgrade then all will work perfectly.
So, problem occure when exists two concurrent requests.

I don't konw what to do...

windows bugs

Just testing out some of the crypto and ssl commands on windows. Some incompatibility between basic syntax and my compiler, and some password-protected private keys included in Certs for some reason. Also some invalid cert files.

readline() returns read data incorrectly in wantarray


I ran into an issue with IO::Socket::SSL, and it seemed to be an issue in readline() when called in wantarray, e.g. @lines = <$ssl_socket>

If there are only no greater than 2**16 bytes to be read, this will try to sysread again. However, this second call of sysread will either block in blocking mode or return undef , instead of the data already read, if there is no more to read.

Below is the code snippet for quick ref.

while (1) {
    my $rv = $self->sysread($buf,2**16,length($buf));
    if ( ! defined $rv ) {
    next if $!{EINTR};
    } elsif ( ! $rv ) {

Many thanks and regards,


[Win32] io-socket-ip test failure

Not certain why I see this failure as I have IO::Socket::IP ->VERSION(0.20) && IO::Socket::IP ->VERSION != 0.30 installed in Perl Core.

IO::Socket::IP is installed in PERL and the version is 0.34 (> 0.20 and != 0.30) ? So

Output from test is:
perl.exe "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib\lib', 'blib\arch')" t/io-socket-ip.t

[20:23:15] t/io-socket-ip.t ..
not ok # automatic use of IO::Socket::IP
Failed 1/1 subtests

Test Summary Report

t/io-socket-ip.t (Wstat: 0 Tests: 1 Failed: 1)
Failed test: 1
Files=1, Tests=1, 1 wallclock secs ( 0.13 usr + 0.06 sys = 0.19 CPU)
Result: FAIL
Failed 1/1 test programs. 1/1 subtests failed

My Perl:

Summary of my perl5 (revision 5 version 20 subversion 1) configuration:

osname=MSWin32, osvers=5.1, archname=MSWin32-x86-multi-thread-64int
uname='Perl 5.20.1 Sun Oct 19 2014 12:36:06.63'
hint=recommended, useposix=true, d_sigaction=undef
useithreads=define, usemultiplicity=define
use64bitint=define, use64bitall=undef, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
cc='gcc', ccflags ='-march=i686 -mtune=generic -pipe -s -O2 -DWIN32 -DPERL_TEXTMODE_SCRIPTS -DUS
g -mms-bitfields',
optimize='-s -O2',
ccversion='', gccversion='4.8.2', gccosandvers=''
intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='long long', lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='g++', ldflags ='-s -L"e:\usr\lib\CORE" -L"e:\usr\mingw32\lib"'
libpth=e:\usr\mingw32\lib e:\usr\mingw32\i686-w64-mingw32\lib
libs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32 -ladvapi32 -lshell32 -lole32 -
loleaut32 -lnetapi32 -luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
perllibs=-lmoldname -lkernel32 -luser32 -lgdi32 -lwinspool -lcomdlg32 -ladvapi32 -lshell32 -lole
32 -loleaut32 -lnetapi32 -luuid -lws2_32 -lmpr -lwinmm -lversion -lodbc32 -lodbccp32 -lcomctl32
libc=, so=dll, useshrplib=true, libperl=libperl520.a
Dynamic Linking:
dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
cccdlflags=' ', lddlflags='-mdll -s -L"e:\usr\lib\CORE" -L"e:\usr\mingw32\lib"'

Characteristics of this binary (from libperl):
Built under MSWin32
Compiled at Jan 7 2015 19:01:51

new_from_fd() erases {io_socket_timeout}

Don't really know is it a bug. Feel free to reject.
Test example below:

use strict;
use IO::Socket;
use IO::Socket::SSL;

my $sock = IO::Socket::INET->new(PeerAddr => '', PeerPort => 443, Timeout => 5)
    or die $@;

warn ${*$sock}{io_socket_timeout}; # 5

my $ssl = IO::Socket::SSL->new_from_fd($sock, Timeout => 5)
    or die $@;

warn ${*$ssl}{io_socket_timeout}; # undef

I found this problem while used LWP::Protocol::connect.
Here we got plain socket where {io_socket_timeout} has some value from LWP constructor:
And after this action {io_socket_timeout} for socket is undefined:
And here how LWP uses this value:
So we may get select() with undefined timeout (and block forever):

Maybe this needs to be documented (if this behaviour is correct).

t/session_ticket.t fails with IO::Socket::SSL 2.040 and Net::SSLeay 1.79

Just a little head up,

sskelton:~/dev/test_foo [5.16.3]$ cpanm -Llocal IO::Socket::SSL -v

this fails at:

t/session_ticket.t ................ 1/6 # connect to 0: success reuse=1
# connect to 1: success reuse=1
# connect to 1: success reuse=0
# connect to 0: success reuse=1

#   Failed test 'reports non-reuse on server0 since got ticket with secret[1] in last step'
#   at t/session_ticket.t line 57.
#          got: '1'
#     expected: '0'
# connect to 0: success reuse=1
# Looks like you failed 1 test of 6.
t/session_ticket.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/6 subtests

I am on MacOS, with clean perl brew 5.16.3, however this brought to my attention because it failed on our build server which is linux, same perl version,

perl-IO-Socket-SSL-1.94 test fail and certs out of date

1.the file of pem in certs are out of date in IO-Socket-SSL-1.94.tar.gz

2.make test failure as showed below

-bash-4.2$ cd IO-Socket-SSL-1.94/
-bash-4.2$ ls
BUGS MANIFEST META.yml Makefile.PL README.Win32 certs debuglinks.list docs example pm_to_blib util
Changes META.json Makefile README blib debugfiles.list debugsources.list elfbins.list lib t
-bash-4.2$ make test
PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/01loadmodule.t ........... ok
t/02settings.t ............. ok
t/acceptSSL-timeout.t ...... Dubious, test returned 1 (wstat 256, 0x100)
Failed 10/15 subtests
t/auto_verify_hostname.t ... Failed 16/30 subtests
t/cert_no_file.t ........... ok
t/compatibility.t .......... 1/9 Can't locate object method "issuer_name" via package "IO::Socket::INET" at t/compatibility.t line 53.
t/compatibility.t .......... Failed 6/9 subtests
t/connectSSL-timeout.t ..... Dubious, test returned 1 (wstat 256, 0x100)
Failed 10/16 subtests
t/core.t ................... Failed 47/52 subtests
t/dhe.t .................... ok
t/ecdhe.t .................. ok
t/io-socket-inet6.t ........ skipped: no IO::Socket::INET6 available
t/io-socket-ip.t ........... ok
t/memleak_bad_handshake.t .. skipped: no usable ps
t/mitm.t ................... Failed 6/8 subtests
t/nonblock.t ............... 1/27 sysread failed: No such file or directory at t/nonblock.t line 317.
Use of uninitialized value in subroutine entry at /home/abuild/rpmbuild/BUILD/IO-Socket-SSL-1.94/blib/lib/IO/Socket/ line 629.
Use of uninitialized value in subroutine entry at /home/abuild/rpmbuild/BUILD/IO-Socket-SSL-1.94/blib/lib/IO/Socket/ line 629.
t/nonblock.t ............... Dubious, test returned 2 (wstat 512, 0x200)
Failed 21/27 subtests
t/npn.t .................... ok
t/readline.t ............... ok
t/sessions.t ............... Failed 27/35 subtests
t/signal-readline.t ........ Failed 1/9 subtests
t/sni.t .................... 1/17 Can't call method "get_servername" on an undefined value at t/sni.t line 83.
Can't call method "verify_hostname" without a package or object reference at t/sni.t line 74.
t/sni.t .................... Dubious, test returned 2 (wstat 512, 0x200)
Failed 16/17 subtests
t/start-stopssl.t .......... ok
t/startssl-failed.t ........ ok
t/startssl.t ............... ok
t/sysread_write.t .......... ok
t/verify_hostname.t ........ ok

Test Summary Report

t/acceptSSL-timeout.t (Wstat: 256 Tests: 7 Failed: 2)
Failed tests: 6-7
Non-zero exit status: 1
Parse errors: Bad plan. You planned 15 tests but ran 7.
t/auto_verify_hostname.t (Wstat: 0 Tests: 22 Failed: 8)
Failed tests: 3, 5-6, 8, 12, 16, 18, 22
Parse errors: Bad plan. You planned 30 tests but ran 22.
t/compatibility.t (Wstat: 0 Tests: 6 Failed: 3)
Failed tests: 2, 5-6
Parse errors: Bad plan. You planned 9 tests but ran 6.
t/connectSSL-timeout.t (Wstat: 256 Tests: 8 Failed: 2)
Failed tests: 7-8
Non-zero exit status: 1
Parse errors: Bad plan. You planned 16 tests but ran 8.
t/core.t (Wstat: 0 Tests: 7 Failed: 2)
Failed tests: 6-7
Parse errors: Bad plan. You planned 52 tests but ran 7.
t/mitm.t (Wstat: 0 Tests: 3 Failed: 1)
Failed test: 3
Parse errors: Bad plan. You planned 8 tests but ran 3.
t/nonblock.t (Wstat: 512 Tests: 17 Failed: 11)
Failed tests: 6-12, 14-17
Non-zero exit status: 2
Parse errors: Bad plan. You planned 27 tests but ran 17.
t/sessions.t (Wstat: 0 Tests: 10 Failed: 2)
Failed tests: 9-10
Parse errors: Bad plan. You planned 35 tests but ran 10.
t/signal-readline.t (Wstat: 0 Tests: 9 Failed: 1)
Failed test: 4
t/sni.t (Wstat: 512 Tests: 3 Failed: 2)
Failed tests: 2-3
Non-zero exit status: 2
Parse errors: Bad plan. You planned 17 tests but ran 3.
Files=25, Tests=226, 0 wallclock secs ( 0.10 usr 0.04 sys + 1.28 cusr 0.33 csys = 1.75 CPU)
Result: FAIL
Failed 10/25 test programs. 34/226 subtests failed.
make: *** [test_dynamic] Error 2

how can i fix this problem with out update the software? Can i skip these ten test?

Weird diagnostics for short RSA keys

Openssl 1.1.1 does not treat 1024-bit RSA certificates as safe for clients authentification in SSL by default (@SECLEVEL=2) with diagnostics like

140510343623808:error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small:../ssl/ssl_rsa.c:310:

As IO::Socket::SSL tries to load a certificate as PEM, than DER, than PKCS12, when the original certificate is in PEM format, the diagnostics is smth about bad ASN.1 format instead of valid one.

package IO::Socket::SSL;

our $VERSION = '2.060';

out of filehandles


I am not sure if this is even a bug or a documentation issue.

I was creating a couple of ssl connections with IO::Socket::SSL->new(...). unfortunatelly I was running out of open file descriptors. Of course the related files need to be read out but the code examples in the documentation lead to the assumption that you "just" need to check the return value of IO::Socket::SSL->new().

SSL_cert_file ../var/certs/server.crt can't be used: Too many open files at /opt/perl/lib/site_perl/5.26.0/IO/Socket/ line 2258.
	IO::Socket::SSL::SSL_Context::new("IO::Socket::SSL::SSL_Context", HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/ line 641
	IO::Socket::SSL::configure_SSL(IO::Socket::SSL=GLOB(0x95dcb38), HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/ line 607
	IO::Socket::SSL::configure(IO::Socket::SSL=GLOB(0x95dcb38), HASH(0x95c3c00)) called at /opt/perl/lib/site_perl/5.26.0/x86_64-linux-multi/IO/ line 48
	IO::Socket::new(...) called at /opt/perl/lib/site_perl/5.26.0/IO/Socket/ line 369

Would it make sense to catch this error inside the API and just return undef for IO::Socket::SSL->new() and set the error variable?

Enablement of SNI is erroneously sensitive to the the case of the inferred hostname

This was discovered after assisting a person in #perl at Freenode, who was using the following URL for testing:


Attempts to connect to this URL were resulting in a Can't connect to WWW.SPS-SERVICE.EU:443 (certificate verify failed) error. It was then discovered that the lower case form of this URL worked and, after further testing, that specifying anything other than www. as the first component of the hostname was enough to trigger the error. All of which should not happen, of course.

Eventually, I realised that the host in question requires SNI to be active, otherwise it reports an entirely different CN, against which verification is, indeed, impossible. For instance:

# openssl s_client -connect -servername WWW.SPS-SERVICE.EU </dev/null 2>&1 | grep '^subject'
subject=/OU=Domain Control Validated/CN=*

#  openssl s_client -connect </dev/null 2>&1 | grep '^subject'
subject=/C=DE/ST=Bayern/L=Muenchen/O=ispgateway/[email protected]

Sure enough, after setting the $DEBUG level to 2, I was able to confirm that IO::Socket::SSL was not attempting to use SNI in the failing case (the first name component being anything other than lower-case www):

DEBUG: .../IO/Socket/ not using SNI because hostname is unknown

This is where the issue lies:

# grep -n 'host = undef' /usr/lib64/perl5/vendor_perl/5.24.3/IO/Socket/
712:            $host = undef if $host !~m{[a-z_]} or $host =~m{:};

Specifically, the above regular expression does not tolerate any names that contain upper-case characters, in which case SNI becomes impossible. Adjusting the regular expression to tolerate upper-case alphabetical characters, or adding the /i flag is enough for SNI to be correctly employed for all case-oriented permutations of this particular URL.

syswrite does not properly report SSL_ERROR_SYSCALL

Documentation states (

syswrite will write all the data within a single SSL frame, which means, that no more than 16.384 bytes, which is the maximum size of an SSL frame, can be written at once.

There are two issues here. First, it is unclear whether a call with a length of more than 16384 should result in an error or a partial write.
Second, it is actually an error, but it is not reported very well.

syswrite calls _generic_write which (in case of non-blocking socket) calls Net::SSLeay::write_partial.
When write_partial returns error, _skip_rw_error checks for ERROR_WANT_READ and ERROR_WANT_READ, but silently discards all other errors.

As a result, syswrite returns undef but does not set $!, which confuses callers.
In particular, see libwww-perl/libwww-perl#264.

Without digging deeper into code, my first proposal would be to report all SSL error codes,
not only whose corresponding to $!{EWOULDBLOCK}.

Can't Build IO::Socket::SSL In Darwin

A failure to build IO::Socket::SSL on Darwin causes Alien::Base::ModuleBuild to fail to download the Artistic Style source tarball, which causes Alien::astyle to fail to build, which causes RPerl to fail to build.

Below is the (not exactly intuitive) error message from Alien::Base::ModuleBuild which tells us it has experienced a network failure, in this case the lack of IO::Socket::SSL...

Internal Exception at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ line 382.
Could not find any matching files at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ line 382.
Can't call method "version" on an undefined value at /Users/hornenj/.cpan/build/Alien-Base-0.030-5/blib/lib/Alien/Base/ line 391.

IO::Socket::SSL::Utils splits subject/issue into a hash, losing the ordering of the parts

Feature request. Though I'm tempted to also characterise this as a design fault. ๐Ÿ˜…

I notice CERT_asHash() returns subject and issuer split into a hash. I think it would be more useful to report the whole DN. Or if you must split it, then instead split it into an array.

This will be especially problematic for DNs that contain more than one of the same type of RDN (eg. multiple OU's or DC's), as it then becomes impossible to determine which order in which to reassemble the bits back together.

I was hoping to replace my usage of Net::SSLeay::X509_NAME_oneline() with IO::Socket::SSL::Utils functions, but today is not that day. :P

Version 2.057 fails tests t/session_ticket.t

I believe commit 111eccd, "add use of client certificates to t/session_ticket.t", is preventing the most recent version of IO::Socket::SSL from passing tests on my machine. If I revert this one commit, all tests pass.

Let me know what additional debugging information will be useful for you, if any. I'm also glad to test any fixes.

Test output:

$ make test
Skip blib/lib/IO/Socket/SSL/ (unchanged)
Skip blib/lib/IO/Socket/SSL/ (unchanged)
Skip blib/lib/IO/Socket/SSL/ (unchanged)
Skip blib/lib/IO/Socket/ (unchanged)
Skip blib/lib/IO/Socket/SSL.pod (unchanged)
PERL_DL_NONLAZY=1 "/data/home/jmaslak/perl5/perlbrew/perls/perl-5.28.0/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
t/01loadmodule.t .................. 1/3 # openssl version compiled=0x1010007f linked=0x1010007f -- OpenSSL 1.1.0g  2 Nov 2017
# Net::SSLeay version=1.85
# parent IO::Socket::IP version=0.39
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
t/external/ocsp.t ................. # tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# got stapled response as expected
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
t/external/ocsp.t ................. 1/3 # tcp connect to ok
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
t/external/ocsp.t ................. ok
t/external/usable_ca.t ............ # found 149 CA certs
# have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ 1/21 # have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ 4/21 # have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ 7/21 # have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ 10/21 # have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ 13/21 # have root CA for in store
# 5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
# 5 connections to ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
t/plain_upgrade_downgrade.t ....... # -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
t/plain_upgrade_downgrade.t ....... 1/15 # server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. 1/? # looks like OpenSSL was compiled without SSLv3 support
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/session_ticket.t ................ # listen at
# listen at
# connect to 0: error: ,SSL connect attempt failed error:14094413:SSL routines:ssl3_read_bytes:sslv3 alert unsupported certificate
t/session_ticket.t ................ 1/6
#   Failed test 'no initial session -> no reuse'
#   at t/session_ticket.t line 67.
#          got: undef
#     expected: '0'

#   Failed test 'Can't use an undefined value as a symbol reference at t/session_ticket.t line 68.
# '
#   at ./t/ line 39.
# Looks like your test exited with 1 just after 2.
t/session_ticket.t ................ Dubious, test returned 1 (wstat 256, 0x100)
Failed 6/6 subtests
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok

Test Summary Report
t/session_ticket.t              (Wstat: 256 Tests: 2 Failed: 2)
  Failed tests:  1-2
  Non-zero exit status: 1
  Parse errors: Bad plan.  You planned 6 tests but ran 2.
Files=38, Tests=796, 74 wallclock secs ( 0.21 usr  0.10 sys +  6.00 cusr  1.04 csys =  7.35 CPU)
Result: FAIL
Failed 1/38 test programs. 2/796 subtests failed.
Makefile:879: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255

PublicSuffix module is unable to distinguish real and phony TLDs

root@felipe 13:18:30 cpstore_client *
> perl -MIO::Socket::SSL::PublicSuffix -E'say for scalar IO::Socket::SSL::PublicSuffix->default()->public_suffix("")'

root@felipe 13:19:07 cpstore_client *
> perl -MIO::Socket::SSL::PublicSuffix -E'say for scalar IO::Socket::SSL::PublicSuffix->default()->public_suffix("")'

^^^ The above seems to indicate that the โ€œTLDโ€ for the 2nd domain is โ€œnzzzzโ€. There is nothing that a caller can do to distinguish this from the case where โ€œnzzzzโ€ is a real TLD.

This seems like a problem โ€ฆ ? Potentially one causing breakage in IO::Socket::SSL?

Session re-use not working on Fedora 26 with current Net-SSLeay and IO-Socket-SSL

I build RPM packages of perl modules including perl-Net-SSLeay and perl-IO-Socket-SSL for a range of Fedora and CentOS distributions. With current Net-SSLeay (1.88), the IO-Socket-SSL test suite fails tests t/session_ticket.t and t/sessions.t on Fedora 26:

$ make test TEST_VERBOSE=1
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(1, 'blib/lib', 'blib/arch')" t/*.t
# openssl version compiled=0x1010008f linked=0x1010008f -- OpenSSL 1.1.0h-fips  27 Mar 2018
# Net::SSLeay version=1.88
# parent IO::Socket::IP version=0.39
# listen at
# listen at
# connect to 0: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2

#   Failed test 'reuse with the next session and secret[0]'
#   at t/session_ticket.t line 79.
#          got: '0'
#     expected: '1'
# connect to 1: success reuse=0 version=TLSv1_2

#   Failed test 'reuse even though server changed, since they share ticket secret'
#   at t/session_ticket.t line 79.
#          got: '0'
#     expected: '1'
# connect to 1: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2
# connect to 0: success reuse=0 version=TLSv1_2

#   Failed test 'reuse again since got ticket with secret[0] in last step'
#   at t/session_ticket.t line 79.
#          got: '0'
#     expected: '1'
# Looks like you failed 3 tests of 6.
t/session_ticket.t ................ 
access to server[0]
creating new ticket key1
server[0] reused=0
ok 1 - no initial session -> no reuse
access to server[0]
creating new ticket key1
server[0] reused=0
not ok 2 - reuse with the next session and secret[0]
access to server[1]
creating new ticket key1
server[1] reused=0
rotate secrets
not ok 3 - reuse even though server changed, since they share ticket secret
access to server[1]
creating new ticket key2
server[1] reused=0
rotate secrets
ok 4 - reports non-reuse since server1 changed secret to secret[1]
access to server[0]
creating new ticket key1
server[0] reused=0
ok 5 - reports non-reuse on server0 since got ticket with secret[1] in last step
access to server[0]
creating new ticket key1
server[0] reused=0
not ok 6 - reuse again since got ticket with secret[0] in last step
Dubious, test returned 3 (wstat 768, 0x300)
Failed 3/6 subtests 
Use of uninitialized value in string eq at t/sessions.t line 87.
t/sessions.t ...................... 
ok # [server]:31 Server initialization
ok # [client]:59 Context init
ok # [server]:138 Client init
ok # [client]:73 Client init, version=TLSv1_2
not ok # [client]:82 >=3 entries in cache: 0
not ok # [client]:85 in cache
not ok # [client]:85 in cache
not ok # [client]:85 in cache
ok # [server]:143 Server send pong, received ping
not ok # [client]:88 latest ( on top of cache
not ok # [client]:95 session in client 0
not ok # [client]:95 session in client 1
not ok # [client]:95 session in client 2
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x88d1078) reused
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x8906d30) reused
not ok # [client]:104 client IO::Socket::SSL=GLOB(0x89070c0) reused
ok # [server]:151 Client again init + write + read
Failed 11/17 subtests 
Test Summary Report
t/session_ticket.t              (Wstat: 768 Tests: 6 Failed: 3)
  Failed tests:  2-3, 6
  Non-zero exit status: 3
t/sessions.t                    (Wstat: 0 Tests: 17 Failed: 11)
  Failed tests:  5-8, 10-16
Files=41, Tests=791, 44 wallclock secs ( 0.12 usr  0.03 sys +  6.68 cusr  0.40 csys =  7.23 CPU)
Result: FAIL
Failed 2/41 test programs. 14/791 subtests failed.

The tests pass on all other Fedora/CentOS versions I build for (Fedora 13, CentOS 6 onwards).
Points of interest:

  • Fedora 26 has OpenSSL 1.1.0h; Fedora 25 has OpenSSL 1.0.2m and Fedora 27 has 1.1.0i.
  • If I downgrade Net-SSLeay to 1.85_09, the tests pass
  • With Net-SSLeay 1.88, IO-Socket-SSL 2.060 passes but later versions all fail the same way.
  • If I patch Net-SSLeay 1.8.8 so that SSL_SESSION_up_ref is not defined (by changing the OpenSSL version check from 1.1.0 to 1.1.1), the tests pass

I can't really see any change between OpenSSL 1.1.0h and 1.1.0i that would account for this. It's possible it could be related to downstream patching but I don't know.

Any ideas?

Passing objects in for filenames fails in a bad way

Sometimes I use IO::All or Path::Class file objects. I accidentally passed one in to IO::Socket::SSL as an SSL_ca_file (indirectly, via Net::Async::HTTP) and end up getting really strange errors.

Here's some code:

  use Net::Async::HTTP;
  use IO::Async::Loop;
  use IO::All;
  $loop = IO::Async::Loop->new;
     my $ua = Net::Async::HTTP->new(
        SSL_ca_file => io->file('/home/frew/code/root.crt')
  my $res = $ua->GET('')->get;
  warn $res->status_line . ' ' . $res->decoded_content;

Here's output: - Operation "eq": no method found,
          left argument in overloaded package IO::All::File,
          right argument has no overloaded magic at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/ line 1992.
   failed [Operation "eq": no method found,
          left argument in overloaded package IO::All::File,
          right argument has no overloaded magic at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/ line 1992.
  ] at line 10.


  use Net::Async::HTTP;
  use IO::Async::Loop;
  use Path::Class 'file';
  $loop = IO::Async::Loop->new;
     my $ua = Net::Async::HTTP->new(
        SSL_ca_file => file('/home/frew/code/root.crt')
  my $res = $ua->GET('')->get;
  warn $res->status_line . ' ' . $res->decoded_content;

results in - Not a SCALAR reference at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/ line 2006.
   failed [Not a SCALAR reference at /home/frew/.plenv/versions/5.20.1/lib/perl5/site_perl/5.20.1/IO/Socket/ line 2006.
  ] at line 10.

I'm not saying that I think that I think you should support these objects at
all, I just think it would be nice to get a more sensible error message.

For what it's worth, this applies to all of the _file type args, not just the
ca one.

So if you can comment on how you'd like it to work, I'd gladly make a patch, but
I don't want to work on a patch that does too much etc.

Pessimistic version number for SNI support in OpenSSL

Reading the code (, it looks like you're requesting OpenSSL 1.0.0 to enable client SNI. After some research it seems that SNI was enabled (by default, prior to that it was a configure flag one had to enable by hand) in OpenSSL 0.9.8j.
According to this would be : 0x0009080af
After changing 0x010000000 to this value, I was able to correctly install the latest version of IO::Socket::SSL without errors.

Would you like me to make a proper PR for this?

Thank you for your work on this distribution, it actually saved my bacon a couple of weeks ago when some other language was getting on my nerves. You can't beat the Internet Swiss army chainsaw that comes with Perl.

Bug to get client certificate

  • Perl version: v5.22.1 built for x86_64-linux-gnu-thread-multi
  • Operating system: Ubuntu 16.04 LTS
  • IO::Socket::SSL: 2.027
  • OpenSSL: 1.0.2g-fips 1 Mar 2016

Steps to reproduce the behavior

Generate keys

openssl req  -nodes -new -x509  -keyout server.key -out server.cert
openssl req  -nodes -new -x509  -keyout client.key -out client.cert

Run server

Get server from examples

perl -d -C server.cert -K server.key

Run client

openssl s_client -connect -cert client.cert -key client.key

Server output

perl -d -C server.cert -K server.key
waiting for next connection.
new SSL connection without client certificate
waiting for next connection.

No client certificate

Expected behavior

Client certificate must be.

To verify that the certificate is loaded, you can replace the server with openssl

openssl s_server -cert server.cert -key server.key -accept 3000 -Verify 1

Feature request: SSL_cert_file/key_file hash ref for client connections

We're indirectly using your module as part of an application doing large-scale push notifications. Sometimes an endpoint requires a client certificate which we accommodate through SSL_ca_file/cert_file/key_file, but during client connections - unlike the server scenario - the forementioned parameters will only accept string scalars holding a single file, forcing us to create multiple objects in the overlying module making use of IO::Socket::SSL, instead of being able to hand out a common hash ref mapping all of the certs/keys.

It would be useful if IO::Socket::SSL could trawl hash refs with host=>file mappings for SSL_ca_file/cert_file/key_file also in the case of client connections, just as it does for a server scenario.

No git tags

This git repo has no tags, which makes code archaeology a bit hard.
Could you add tags corresponding to CPAN releases?

t/nonblock.t test fails on armv6l

Both the multiple write attempts tests fail for me on a single processor RaspberryPi under the following conditions. System perl (same versions) on a multi processor Pi results in successful test with and without patch.

software system perl perlbrew
perl v5.24.1 v5.26.2
Net::SSLeay 1.80 1.85
URI 1.71 1.74
$ prove -lv t/nonblock.t
t/nonblock.t .. 
ok # [server] Server Initialization
ok # [server] 1e-09
ok # [server] tcp accept
# connect in progress
ok # [client] client tcp connect
ok # [server] received plain text
# wrote 9 bytes
ok # [client] write plain text
ok # [server] upgrade to_client to IO::Socket::SSL
ok # [client] upgrade client to IO::Socket::SSL
# SSL wants a read first
# SSL wants a read first
ok # [client] connected
ok # [client] nonblocking connect with 2 attempts
ok # [server] ssl accept handshake done
# sndbuf=16384
ok # [server] received client message
# read 30000 (1 r/w attempts)
# $!=Connection reset by peer $SSL_ERROR=SSL write error (5) send=205660
# connection closed
ok # [client] syswrite
not ok # [client] multiple write attempts
ok # [client] 30000 bytes send
ok # [server] tcp accept

My current workaround is doubling the sleep time on line 336

diff --git a/t/nonblock.t b/t/nonblock.t
index ad62799..85b5cf5 100644
--- a/t/nonblock.t
+++ b/t/nonblock.t
@@ -333,7 +333,7 @@ if ( $pid == 0 ) {
        ok( "received client message" );
-       sleep(5);
+       sleep(10);
        my $bytes_received = 10;
        # read up to 30000 bytes from client, then close the socket

Default cipher suite includes RC4 ciphers

Leaving SSL_cipher_list out of the options results in the TLS_ECDHE_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_SHA ciphers being used, which leads to a B rating on SSL labs due to the RC4 vulnerability. Passing the following cipher suite fixes this problem:


More information:

t/external/ocsp.t failing in 2.035

$ make test
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t
# openssl version=0x1000208f
# Net::SSLeay version=1.77
# parent IO::Socket::IP version=0.38
t/01loadmodule.t .................. ok
t/acceptSSL-timeout.t ............. ok
t/alpn.t .......................... ok
t/auto_verify_hostname.t .......... ok
t/cert_formats.t .................. ok
t/cert_no_file.t .................. ok
t/compatibility.t ................. ok
t/connectSSL-timeout.t ............ ok
t/core.t .......................... ok
t/dhe.t ........................... ok
t/ecdhe.t ......................... ok
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok

#   Failed test 'did not get expected OCSP response with stapling'
#   at t/external/ocsp.t line 93.
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok

#   Failed test 'expected revoked but connection ok'
#   at t/external/ocsp.t line 128.
# Looks like you failed 2 tests of 3.
t/external/ocsp.t ................. 
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/3 subtests 
# found 167 CA certs
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
#5 connections to ok
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
# have root CA for in store
#5 connections to ok
# fingerprint matches
# check against builtin CA store ok
t/external/usable_ca.t ............ ok
t/io-socket-inet6.t ............... ok
t/io-socket-ip.t .................. ok
t/memleak_bad_handshake.t ......... ok
t/mitm.t .......................... ok
t/nonblock.t ...................... ok
t/npn.t ........................... ok
# -- test: newINET start_SSL stop_SSL start_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x160301 from client
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL
# server accepted new client
# wait for initial data from client
# got 0x666f6f from client
# server: got plain data at start of connection
# server: TLS upgrade
# server: TLS downgrade
# server: TLS upgrade#2
# server accepted new client
# wait for initial data from client
# got 0x656e64 from client
# client requested end of tests
t/plain_upgrade_downgrade.t ....... ok
t/protocol_version.t .............. ok
t/public_suffix_lib_encode_idn.t .. ok
t/public_suffix_lib_libidn.t ...... ok
t/public_suffix_lib_uri.t ......... ok
t/public_suffix_ssl.t ............. ok
t/readline.t ...................... ok
t/sessions.t ...................... ok
t/signal-readline.t ............... ok
t/sni.t ........................... ok
t/sni_verify.t .................... ok
t/start-stopssl.t ................. ok
t/startssl-failed.t ............... ok
t/startssl.t ...................... ok
t/sysread_write.t ................. ok
t/verify_fingerprint.t ............ ok
t/verify_hostname.t ............... ok
t/verify_hostname_standalone.t .... ok

Test Summary Report
t/external/ocsp.t               (Wstat: 512 Tests: 3 Failed: 2)
  Failed tests:  1, 3
  Non-zero exit status: 2
Files=37, Tests=794, 48 wallclock secs ( 0.09 usr  0.02 sys +  3.28 cusr  0.33 csys =  3.72 CPU)
Result: FAIL
Failed 1/37 test programs. 2/794 subtests failed.
Makefile:791: recipe for target 'test_dynamic' failed
make: *** [test_dynamic] Error 255

That's on Fedora Rawhide and I get the same result on the much-older CentOS 6.

SSL_verify_callback sometimes gets the same cert multiple times.

Not sure what causes it...

Versions of stuff:

  • IO::Socket::SSL 2.012
  • Net::SSLeay 1.68
  • Perl 5.20.1
  • OpenSSL 1.0.2a
    All latest as of right now as far as I can tell except for perl being 1 minor behind.

Consider the following:

#!/usr/bin/env perl
use strict;
use warnings;
use File::Basename;
use IO::Socket::SSL;

die "Usage: ".basename($0)." host:port\n" unless @ARGV eq 1;
    PeerHost => $ARGV[0],
    SSL_verify_callback => sub {
        my $cert = $_[4];
        my $subject = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert));
        my $issuer  = Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_issuer_name($cert));
        print "# $subject (issuer=$issuer)\n";
        print Net::SSLeay::PEM_get_string_X509($cert);
        return 1;
) or die $SSL_ERROR||$!;
# /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=* (issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2)
# /OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=* (issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2)

Note that it's the same cert twice. (Sometimes I get it 3 times.)

And for reference:

$ openssl s_client -showcerts -connect < /dev/null
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL, CN = *
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
 0 s:/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*
   i:/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2
 1 s:/C=FR/O=GANDI SAS/CN=Gandi Standard SSL CA
   i:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
 2 s:/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Server certificate
subject=/OU=Domain Control Validated/OU=Gandi Standard Wildcard SSL/CN=*
issuer=/C=FR/ST=Paris/L=Paris/O=Gandi/CN=Gandi Standard SSL CA 2

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 4825 bytes and written 474 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: E67A63468B999C6CA41186D080ABA061A460160C222576E7FAE5B56679C53BB3
    Master-Key: 22DAF517196E6A24224A690554D569D60F1168DB27C62C23436C089DE9807F007A394E711B8476BF44167DC35633232F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - dd ed 8f 5f 20 86 ba fe-f0 ab 3f 30 45 d5 63 59   ..._ .....?0E.cY
    0010 - b7 9a 45 b2 99 3b 8a 3a-d6 3c 16 48 9b a5 84 44   ..E..;.:.<.H...D
    0020 - c4 26 a8 e9 39 83 bc 54-08 55 fe 38 35 43 ab 42   .&..9..T.U.85C.B
    0030 - 48 42 f1 62 77 5f b6 5d-fe d3 2b 84 5e de ca ed   HB.bw_.]..+.^...
    0040 - c9 4e 0a 49 ed 1b 6c 72-d8 21 1e 86 7a 30 45 d3!..z0E.
    0050 - c7 b9 2a 8f 4e 03 cb 42-0a c5 f4 d2 15 c4 a3 b0   ..*.N..B........
    0060 - 04 1c ed ac 20 7d 9f 4d-27 48 b3 6d 60 90 c5 1a   .... }.M'H.m`...
    0070 - 09 5c 21 02 20 c8 4d 87-c9 85 de 5c 90 32 bc 20   .\!. .M....\.2.
    0080 - b3 65 7d 3c ec dc 5b 9b-1a 17 c7 cb 4d 41 b3 d3   .e}<..[.....MA..
    0090 - 79 c6 10 6d 4f 0e 57 cc-f3 29 0d b4 bd 0d b2 d8   y..mO.W..)......
    00a0 - 59 2c 6e ca dc f1 70 ec-10 f9 dd 16 55 2a ae 35   Y,n...p.....U*.5
    00b0 - 3a c8 25 4b 31 de 4d cc-c7 0c 47 33 a2 bc 66 b1   :.%K1.M...G3..f.

    Start Time: 1427146263
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)


Memory leak when destroying with incomplete handshake

This was originally found in Mojolicious: mojolicious/mojo#1469
But then I tracked this down to IO::Socket::SSL. If we'll destroy object for which server didn't respond with initial handshake this will produce memory leak. I can reproduce this with such server:

use strict;
use IO::Socket;

$SIG{CHLD} = sub { 1 while waitpid(-1, WNOHANG) > 0;  };

my $srv = IO::Socket::INET->new(Listen => 1, LocalPort => 1081) or die $@;

while (1) {
    my $c = $srv->accept or next;
    my $child = fork;
    if ($child == 0) {
        $c->sysread(my $buf, 1024);
        sleep 3;

and such client:

use strict;
use IO::Socket::SSL;
use IO::Socket::INET;
use IO::Select;
use Time::HiRes 'time';

use constant TIMEOUT => 1;

warn $$;

my $sel_for_read = IO::Select->new;
my $sel_for_write = IO::Select->new;
my %sockets;

for (1..100) {

while (1) {
    my ($readable, $writable) = IO::Select->select($sel_for_read, $sel_for_write, undef, 0.5);
    $readable ||= [];
    $writable ||= [];
    my @want_read;
    my @want_write;
    for my $socket (@$readable, @$writable) {
        if ($socket->connect_SSL) {
            # SSL handshake done
            warn 'connected';
            delete $sockets{fileno $socket};
        if ($SSL_ERROR == SSL_WANT_READ) {
            push @want_read, $socket;
        elsif ($SSL_ERROR == SSL_WANT_WRITE) {
            push @want_write, $socket;
        else {
            # unexpected error
            warn 'unexpected: ', $SSL_ERROR;
            delete $sockets{fileno $socket};
    # timeout check
    my $time = time;
    for my $socket ($sel_for_read->handles, $sel_for_write->handles) {
        if ($time - $sockets{fileno $socket} > TIMEOUT) {
            warn 'timeout';
            delete $sockets{fileno $socket};
    # add again for next iteration

sub make_socket {
    my $socket = IO::Socket::INET->new(PeerAddr => '', PeerPort => 1081, Blocking => 0) or die $@;
    IO::Socket::SSL->start_SSL($socket, SSL_startHandshake => 0) or die $SSL_ERROR;
    $sockets{fileno $socket} = time;

sub remove_socket {
    my $socket = shift;

Memory usage of this client script grows without a stop, however I can see that IO::Socket::SSL::DESTROY called and size of script variables is constant.

Segmentation fault while using IO::Socket::SSL::Utils::PEM_cert2file with CERT_create


I discovered something wrong with (probably?) IO::Socket::SSL and the certificate creation utility in IO::Socket::SSL::Utils. First, while I was writing a script using the CERT_create function, along with the PEM_cert2file sub to write it to a file, my script crashed with a SIGSEGV.
So I thought that it was my fault, and inspected the arguments over and over. I also checked the source of IO::Socket::SSL::Utils. However, I discovered that the problem is there even with the default values!

Take a look at this example:

$ perl -MIO::Socket::SSL::Utils -e 'my $crt = CERT_create(); PEM_cert2file($crt, "test_file.pem")'
Segmentation fault (core dumped)

Using this this with IO::Socket::SSL version 2.010, Net::SSLeay version 1.68 and OpenSSL version 1.0.2a produces a segmentation fault on two systems of mine. The interesting thing is that if the result of CERT_create is not assigned to a variable, but instead given directly to PEM_cert2file, everything works (however, the cert is saved to a randomly numbered file instead of test_file.pem).

Can you help me? I have been struggling with this for a while, and it may still be my fault!
Let me know if you need any more details.

Net-SSLeay-1.68 : request informations / $arg_hash->{SSL_ca}


I found not anywhere of a detail documentation clear about SSL_key or SSL_ca from variables and without from flat files : eg : my-ca.pem or client-cert.pem.

So, Iโ€™d like just use by variables a key of CA public without file of "$certdir/my-ca.pem" and open a new socket :

Example of perl 5.14.2 (strawberry 32bits):
$ca_key = q{-----BEGIN CERTIFICATE-----
MIIE+DCCA โ€ฆ. blabla โ€ฆ. tZPMIxRNeUKRg==

$x509 = PEM_string2cert($ca_key); #=> it's work !

if(!($socket = IO::Socket::SSL->new(
Listen => 5,
LocalPort => $port,
Proto => 'tcp',
Reuse => 0,
SSL_ca_path => $certdir,
# SSL_ca_file => "$certdir/my-ca.pem", => it's work fine with all keys
SSL_ca => $x509,
SSL_cert_file => "$certdir/server-cert.pem",
SSL_key_file => "$certdir/server-key.pem",
SSL_use_cert => 1,
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_reuse_ctx => 0,
SSL_server => 1,
SSL_version => 'SSLv3',
SSL_cipher_list => 'SHA:AES:3DES:!RC4:!MD5',
SSL_passwd_cb => sub {return "$secret"},
)) )

And I've some erro :
Can't use string ("61536080") as an ARRAY ref while "strict refs" in use at E:/strawberry- line 2273.
at E:/strawberry- line 2273
IO::Socket::SSL::SSL_Context::new('IO::Socket::SSL::SSL_Context', 'HASH(0x242df6c)') called at E:/strawberry- line 512

Is it possible and whichโ€™s a good practice ?

Many thanks for advance.

Best regards


RFC: complain loudly if supplied SSL files do not exist


This is a RFC : I'm happy to do more work to add tests or rework the implementation, however I wanted to first check if there was any interest (and that I'm even vaugely on the right path).

I recently tripped up over my own stupidity by passing paths to SSL files (key/cert/ca) that didn't exist. The behaviour I observed was that the server started, accepted connections then immediately closed them. No error was emitted.

In my particular case, I was using Mojolicious' morbo, however talking to sri on irc he suggested that IO::Socket:SSL would be the correct place to fix this.


morbo -v -l "" script/server

If either of those files does not exist, I see this behaviour:

ยง telnet 4430
Connected to
Escape character is '^]'.
Connection closed by foreign host.

If all relevant files DO exist, I see this:

ยง telnet 4430
Connected to
Escape character is '^]'.

(followed by the server waiting for input)

I'm not hugely familiar with the IO::Socket::SSL code, so the following patch really should be treated more as a hand-wavy attempt to explain my problem and a rough line in the sand for where it might be possible to fix.

If someone with better knowledge of the code could give me some pointers/direction, I'd be happy to invest some effort in trying to submit a proper pull-request with a more robust patch include, plus some tests.


missing certs in latest release.

I tried to update I:S:S this morning but the sni*.t tests failed, complaining about 1 test ran out of 17 planned. Running said tests verbosely, I get this error :

not ok # SSL_cert_file certs/server2-cert.pem can't be used: No such file or directory at /usr/home/xxx/.cpanm/work/1516570603.23798/IO-Socket-SSL-2.053/lib/IO/Socket/ line 2256

And indeed, the file is missing in the certs directory. Also, there is no mention of this file in MANIFEST. They seem to be fairly new (github claims they were created 7 days ago), could it be that you forgot to add them in your release procedure?

Best regards,

feature request: support user could fix sni support version


I already read RT #83289 and SNI support section of IO::Socket::SSL.

But sometimes if user could know exactly his ssl could support SNI or not, although its version is 0.9.8.x. Current code of IO::Socket::SSL looks like:

IO::Socket::SSL code, Line 40

if ( $can_client_sni ) {


sub can_client_sni { return $can_client_sni }

So, someone who are using ssl 0.9.8 which is backported SNI could not use SNI option. I hope to check using can_client_sni() rather than $can_client_sni lexical variable. Because If user risk the ssl 0.9.8 version then he can override can_client_sni() then he could use SNI features of his SSL.

How about change the code like:

if ( $self->can_client_sni() ) {

If this feature request is not
Please ignore and close this feature request if it is inappropriate. :-)


Different base class?

Hi - Would it be possible to have the base class as a parameter? One use case is to have SSL connections through SOCKS. To do that currently, I had to duplicate the whole in a new package just to have a different @isa (IO::Socket::Socks). It works, but such duplication does not feel like the right think to do.

There might be a a much more simple option, but I'm still a Perl noob


t\verify_hostname_standalone.t #78 fails on Windows 8.1

C:\> prove -vb t\verify_hostname_standalone.t
not ok 78 - 1 != 0 |[::]: cn= san=IP:0000:0000:0000:0000:0000:0000:0405:0609

#   Failed test '1 != 0 |[::]: cn= san=IP:0000:0000:0000:0000:0000:0000:0405:0609'
#   at t\verify_hostname_standalone.t line 55.
# Looks like you failed 1 test of 78.

Windows 8.1 Pro 64-bit

OpenSSL 1.0.2a 19 Mar 2015

Visual Studio 2013 tools:

cl /?
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x64
nmake /?
Microsoft (R) Program Maintenance Utility Version 12.00.21005.1
Summary of my perl5 (revision 5 version 20 subversion 2) configuration:
    osname=MSWin32, osvers=6.3, archname=MSWin32-x64-multi-thread
    hint=recommended, useposix=true, d_sigaction=undef
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    optimize='-O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise',
    ccversion='18.00.31101', gccversion='', gccosandvers=''
    intsize=4, longsize=4, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8
    ivtype='__int64', ivsize=8, nvtype='double', nvsize=8, Off_t='__int64', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\opt\perl-5.20.2\lib\CORE"  -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
    libpth="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\lib\amd64"
    libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl520.lib
  Dynamic Linking:
    dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\opt\perl-5.20.2\lib\CORE"  -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'

Characteristics of this binary (from libperl): 
                        PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT
  Built under MSWin32
  Compiled at Feb 16 2015 08:44:56
    PERLDOC_PAGER="c:\opt\cygwin64\bin\less.exe -+C -E -F -g -i"

IO::Socket::SSL + fork

Hello, I've asked a question on today ( ), and it seems this issue needs an implementation.
IO::Socket::SSL is a very versatile module, but the lack of fork support is a really sad fact.

Since IO::Socket::SSL is a descendent of IO::Socket::INET, I think it should support fork as the second one does.

Would it be possible to implement a such 'fix' for not using third-party event-driven frameworks?

implicit derivation of hostname for SNI should be less astonishing

The addition of SNI support here:
created one explicit way for the caller to supply the host name for which the certificate is wanted (supply it with the key SSL_hostname).

It also added a default behavior if SSL_hostname isn't specified, but that default behavior is almost surely not what the caller expects! If the caller passes both a PeerAddr and a PeerHost, the code looks at the PeerAddr first ... and then discards it if it looks like an address instead of a hostname ... and ignores the PeerHost!

It is probably better to look at PeerHost for a hostname first ... and maybe it is even best to look at both, and accept either one if it has the form of a hostname and not an address.

Default cipher list doesn't include ECDHE-RSA-AES128-GCM-SHA256

Not an expert on SSL, but I ran into a situation where I couldn't connect to a server using LWP that only had the TLS 1.2 protocol enabled:

In debugging this, I found that it was failing to connect because IO::Socket::SSL's default cipher list didn't include ECDHE-RSA-AES128-GCM-SHA256 (which all major browsers seem to include).

The comment for $DEFAULT_SSL_CLIENT_ARGS{SSL_cipher_list} says that the list is from IE11, but it's perhaps out of date, since IE11 seems to support more ciphers than in that list.

For reference, here's the list I get from IE11 (might be a bit out of date since it's from a VM):

  • RSA-AES256-GCM-SHA384
  • RSA-AES128-GCM-SHA256
  • RSA-AES256-SHA
  • RSA-AES128-SHA
  • DHE-DSS-AES256-SHA256
  • RSA-RC4128-SHA
  • RSA-RC4128-MD5

t/external/ocsp.t failing

I've tried various perls (5.27.4, 5.24.2, 5.24.1) and this test consistently fails. IO::Socket::SSL 2.050 is also failing. This is a recent thing, 2.050 on perl 5.24.2 was working when I installed it in June and on perl 5.27.3 in August.

$ perl -v | grep version

This is perl 5, version 24, subversion 2 (v5.24.2) built for x86_64-linux-thread-multi-ld
(with 1 registered patch, see perl -V for more detail)

$ prove -vl t/01loadmodule.t t/protocol_version.t t/external/ocsp.t 
t/01loadmodule.t ...... 
ok 1 - loaded
# openssl version=0x1000207f
# Net::SSLeay version=1.81
# parent IO::Socket::IP version=0.39
ok 2 - IO::Socket::SSL::DEBUG 1
ok 3 - Net::SSLeay::trace 1

t/protocol_version.t .. 
ok 1 - accept SSLv23 with any, got TLSv1_2
# looks like OpenSSL was compiled without SSLv3 support
ok 2 - accept TLSv1 with any, got TLSv1
ok 3 - accept TLSv1_1 with any, got TLSv1_1
ok 4 - accept TLSv1 with TLSv1
ok 5 - accept SSLv23:!TLSv1_2:!TLSv1_1 with TLSv1
ok 6 - accept TLSv1_1 with TLSv1_1
ok 7 - accept SSLv23:!TLSv1_2 with TLSv1_1
ok 8 - accept TLSv1_2 with TLSv1_2
ok 9 - accept SSLv23 with TLSv1_2

t/external/ocsp.t ..... 
# tcp connect to ok
ok 1 # skip fingerprints do not match
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
not ok 2 - SSL upgrade with OCSP stapling failed: SSL wants a read first
#   Failed test 'SSL upgrade with OCSP stapling failed: SSL wants a read first'
#   at t/external/ocsp.t line 93.
# tcp connect to ok
ok 3 # skip fingerprints do not match
# Looks like you failed 1 test of 3.
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/3 subtests 
	(less 2 skipped subtests: 0 okay)

Test Summary Report
t/external/ocsp.t   (Wstat: 256 Tests: 3 Failed: 1)
  Failed test:  2
  Non-zero exit status: 1
Files=3, Tests=15, 12 wallclock secs ( 0.04 usr  0.00 sys +  0.42 cusr  0.07 csys =  0.53 CPU)
Result: FAIL

Client cert chains should not be required to be built

Server certificate files can (and arguably should!) be a single file with the chain of certificates concatenated all the way down to the root certificate. This is efficient and simple.

Unfortunately, client certificates do not work this way, and will only read the first certificate in a file and will only build the cert to the root cert, requiring the user to have all of the certificates that the client cert is based on (ie all the certs in the chain) in the CA store of the client.

For simplicity's sake I'd rather only store my root CA in my CA store, and have the client and server both just have chainfiles instead of single pem files. I suspect that the reason this works this way is that it's how OpenSSL works by default, as s_client from openssl acts the same way. But curl, which uses openssl on my system, allows the user to set client cert file which is a chainfile, so I suspect it's doable, just a bit of work.

I can try my hand at figuring this out, but I am mostly a pure-perl dev and don't know much about the guts of OpenSSL, XS, and other weird stuff like that. If I were to do this I'd see how curl is doing it.

t\verify_fingerprint.t occasionally hangs when run via `nmake test`

I can't consistently reproduce this. I only notice it when my cpan-outdated | cpanm hangs. My efforts at diagnosing this have failed so far. Once I issue a prove -vb t\verify_fingerprint.t from the command line, it always gets done rather quickly, and subsequent nmake test runs don't hang either.

C:\...\IO-Socket-SSL-2.013> nmake test
t\verify_fingerprint.t ............ 1/12

That's where it hangs. After this, CTRL-C followed by:

C:\...\IO-Socket-SSL-2.013> prove -vb t\verify_fingerprint.t
t\verify_fingerprint.t ..                                                                       
ok 1 - accept fp1 for saddr1                                                                    
ok 2 - accept fp2 for saddr2                                                                    
ok 3 - reject ifp2 for saddr2                                                                   
ok 4 - reject fp2 for saddr1                                                                    
ok 5 - reject fp1 for saddr2                                                                    
ok 6 - accept fp1|fp2 for saddr1                                                                
ok 7 - accept fp1|fp2 for saddr2                                                                
ok 8 - accept fp2 for saddr2 even if ca1 given                                                  
ok 9 - accept ca2 for saddr2                                                                    
ok 10 - reject ca2 for saddr1                                                                   
ok 11 - accept ca[12] for saddr1                                                                
ok 12 - reject non-ca cert1 as ca for saddr1                                                    
All tests successful.                                                                           
Files=1, Tests=12,  4 wallclock secs ( 0.06 usr +  0.05 sys =  0.11 CPU)                        
Result: PASS

I know this is very little information to go on. I'll update if I can figure out anything else.


Windows 8.1 Pro 64-bit.

Summary of my perl5 (revision 5 version 20 subversion 2) configuration:
    osname=MSWin32, osvers=6.3, archname=MSWin32-x64-multi-thread
    hint=recommended, useposix=true, d_sigaction=undef
    useithreads=define, usemultiplicity=define
    use64bitint=define, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    optimize='-O1 -Os -favor:INTEL64 -MD -Zi -DNDEBUG -GL -fp:precise',
    ccversion='18.00.31101', gccversion='', gccosandvers=''
    intsize=4, longsize=4, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8
    ivtype='__int64', ivsize=8, nvtype='double', nvsize=8, Off_t='__int64', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='link', ldflags ='-nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\opt\perl-5.20.2\lib\CORE"  -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'
    libpth="C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\lib\amd64"
    libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib  comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib  netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib  version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl520.lib
  Dynamic Linking:
    dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug -opt:ref,icf -ltcg  -libpath:"c:\opt\perl-5.20.2\lib\CORE"  -machine:AMD64 "/manifestdependency:type='Win32' name='Microsoft.Windows.Common-Controls' version='' processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*'"'

Characteristics of this binary (from libperl): 
                        PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT
  Built under MSWin32
  Compiled at Feb 16 2015 08:44:56
    PERLDOC_PAGER="c:\opt\cygwin64\bin\less.exe -+C -E -F -g -i"


C:\> c:\opt\openssl\bin\openssl.exe version
OpenSSL 1.0.2a 19 Mar 2015

Visual Studio 2013:

cl /?
Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x64
nmake /?
Microsoft (R) Program Maintenance Utility Version 12.00.21005.1

t/session_ticket.t failing in Fedora Rawhide

Test results:

$ make test                                                                                                                   
PERL_DL_NONLAZY=1 "/usr/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harne
ss(0, 'blib/lib', 'blib/arch')" t/*.t t/external/*.t                                                                          
# openssl version=0x1010003f                                                                                                  
# Net::SSLeay version=1.80                                                                                                    
# parent IO::Socket::IP version=0.38                                                                                          
t/01loadmodule.t .................. ok                                                                                        
t/acceptSSL-timeout.t ............. ok                                                                                        
t/alpn.t .......................... ok                                                                                        
t/auto_verify_hostname.t .......... ok                                                                                        
t/cert_formats.t .................. ok                                                                                        
t/cert_no_file.t .................. ok                                                                                        
t/compatibility.t ................. ok                                                                                        
t/connectSSL-timeout.t ............ ok                                                                                        
t/core.t .......................... ok                                                                                        
t/dhe.t ........................... ok                                                                                        
t/ecdhe.t ......................... ok                                                                                        
# tcp connect to ok                                                                                         
# tcp connect to ok                                                                                        
# fingerprint matches                                                                                                         
# validation with default CA w/o OCSP ok                                                                                      
# validation with default CA with OCSP defaults ok                                                                            
# validation with default CA with OCSP full chain ok                                                                          
# tcp connect to ok                                                                                       
# fingerprint matches                                                                                                         
# validation with default CA w/o OCSP ok                                                                                      
t/external/ocsp.t ................. ok                                                                                        
# found 154 CA certs                                                                                                          
# have root CA for in store                                                                                   
# 5 connections to ok                                                                                         
# have root CA for in store                                                                                  
# 5 connections to ok                                                                                        
# have root CA for in store                                                                                      
# 5 connections to ok                                                                                            
# fingerprint matches                                                                                            
# check against builtin CA store ok                                                                              
t/external/usable_ca.t ............ ok                                                                                        
t/io-socket-inet6.t ............... ok                                                                                        
t/io-socket-ip.t .................. ok                                                                                        
t/memleak_bad_handshake.t ......... ok                                                                                        
t/mitm.t .......................... ok                                                                                        
t/nonblock.t ...................... ok                                                                                        
t/npn.t ........................... ok                                                                                        
# -- test: newINET start_SSL stop_SSL start_SSL                                                                               
# server accepted new client                                                                                                  
# wait for initial data from client                                                                                           
# got 0x666f6f from client                                                                                                    
# server: got plain data at start of connection                                                                               
# server: TLS upgrade                                                                                                         
# server: TLS downgrade                                                                                                       
# server: TLS upgrade#2                                                                                                       
# -- test: newSSL stop_SSL connect_SSL                                                                                        
# server accepted new client                                                                                                  
# wait for initial data from client                                                                                           
# got 0x160301 from client                                                                                                    
# server: TLS upgrade                                                                                                         
# server: TLS downgrade                                                                                                       
# server: TLS upgrade#2                                                                                                       
# -- test: newSSL:0 connect_SSL stop_SSL connect_SSL                                                                          
# server accepted new client                                                                                                  
# wait for initial data from client                                                                                           
# got 0x666f6f from client                                                                                                    
# server: got plain data at start of connection                                                                               
# server: TLS upgrade                                                                                                         
# server: TLS downgrade                                                                                                       
# server: TLS upgrade#2                                                                                                       
# -- test: newSSL:0 start_SSL stop_SSL connect_SSL                                                                            
# server accepted new client                                                                                                  
# wait for initial data from client                                                                                           
# got 0x666f6f from client                                                                                                    
# server: got plain data at start of connection                                                                               
# server: TLS upgrade                                                                                                         
# server: TLS downgrade                                                                                                       
# server: TLS upgrade#2                                                                                                       
# server accepted new client                                                                                                  
# wait for initial data from client                                                                                           
# got 0x656e64 from client                                                                                                    
# client requested end of tests                                                                                               
t/plain_upgrade_downgrade.t ....... ok                                                                                        
# failed to accept SSLv3                                                                                                      
# looks like OpenSSL was compiled without SSLv3 support                                                                       
t/protocol_version.t .............. ok                                                                                        
t/public_suffix_lib_encode_idn.t .. ok                                                                                        
t/public_suffix_lib_libidn.t ...... ok                                                                                        
t/public_suffix_lib_uri.t ......... ok                                                                                        
t/public_suffix_ssl.t ............. ok                                                                                        
t/readline.t ...................... ok                                                                                        
# listen at                                                                                                   
# listen at                                                                                                   
# connect to 0: success reuse=0                                                                                               
# connect to 0: success reuse=0                                                                                               
#   Failed test 'reuse with the next session and secret[0]'                                                                   
#   at t/session_ticket.t line 57.                                                                                            
#          got: '0'                                                                                                           
#     expected: '1'                                                                                                           
# connect to 1: success reuse=0                                                                                               
#   Failed test 'reuse even though server changed, since they share ticket secret'                                            
#   at t/session_ticket.t line 57.                                                                                            
#          got: '0'                                                                                                           
#     expected: '1'                                                                                                           
# connect to 1: success reuse=0                                                                                               
# connect to 0: success reuse=0                                                                                               
# connect to 0: success reuse=0                                                                                               
#   Failed test 'reuse again since got ticket with secret[0] in last step'                                                    
#   at t/session_ticket.t line 57.                                                                                            
#          got: '0'                                                                                                           
#     expected: '1'                                                                                                           
# Looks like you failed 3 tests of 6.                                                                                         
t/session_ticket.t ................                                                                                           
Dubious, test returned 3 (wstat 768, 0x300)                                                                                   
Failed 3/6 subtests                                                                                                           
t/sessions.t ...................... ok                                                                                        
t/signal-readline.t ............... ok                                                                                        
t/sni.t ........................... ok                                                                                        
t/sni_verify.t .................... ok                                                                                        
t/start-stopssl.t ................. ok                                                                                        
t/startssl-failed.t ............... ok                                                                                        
t/startssl.t ...................... ok                                                                                        
t/sysread_write.t ................. ok                                                                                        
t/verify_fingerprint.t ............ ok                                                                                        
t/verify_hostname.t ............... ok                                                                                        
t/verify_hostname_standalone.t .... ok                                                                                        
Test Summary Report                                                                                                           
t/session_ticket.t              (Wstat: 768 Tests: 6 Failed: 3)                                                               
  Failed tests:  2-3, 6                                                                                                       
  Non-zero exit status: 3                                                                                                     
Files=38, Tests=798, 54 wallclock secs ( 0.10 usr  0.02 sys +  3.32 cusr  0.36 csys =  3.80 CPU)                              
Result: FAIL                                                                                                                  
Failed 1/38 test programs. 3/798 subtests failed.                                                                             
make: *** [Makefile:791: test_dynamic] Error 255                                                                              

The most significant difference between the failing Rawhide build and the Fedora 25 build (which works) is that Rawhide has OpenSSL 1.1.0c and Fedora 25 has OpenSSL 1.0.2j.

All my builds for older Fedora/RHEL versions work OK.

IO::Socket::SSL supports TLSv1.0

Per the POD:

IO::Socket::SSL tries to set these values to reasonable, secure values which are compatible with the rest of the world. But, there are some scripts or modules out there which tried to be smart and get more secure or compatible settings. Unfortunately, they did this years ago and never updated these values, so they are still forced to do only 'TLSv1' (instead of also using TLSv12 or TLSv11). Or they set 'HIGH' as the cipher list and thought they were secure, but did not notice that 'HIGH' includes anonymous ciphers, e.g. without identification of the peer.

So it is recommended to leave the settings at the secure defaults which IO::Socket::SSL sets and which get updated from time to time to better fit the real world.

Keeping the "secure" defaults would allow TLSv1.0. TLSv1.0 is insecure and broken. POODLE and BEAST exploits already exist for it. Using it will break PCI DSS in June 2018.

Let's just change default SSL_version to SSLv23:!SSLv2:!SSLv3:!TLSv1.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.