3

I have a system that sends data to customers using perl LWP. They can choose their URL and whether to POST or GET.

A new customer recently complained that the service doesn't work and they suspect it's because their endpoint uses SNI SSL.

Looking in the logs, all I see is the error message "(certificate verify failed) (500 read timeout)".

Is there any way to tell if this issue is because of their SNI SSL, or something different? I think I can solve the problem by turning off verify_hostname, but this is a last resort, I would rather have it working properly.

What other steps should I take?

Ben Holness
  • 2,457
  • 3
  • 28
  • 49
  • 2
    *"I think I can solve the problem by turning off verify_hostname..."* - Don't do it. That's called killing the patient. The cure is worse than the disease. – jww Aug 27 '14 at 19:00
  • 1
    *"Looking in the logs, all I see is the error message "(certificate verify failed) (500 read timeout)"* - We need more information than this. Please provide a URL to the server, or the server's certificate. Better, paste the full output of `openssl s_client -connect :`. You should also supply your code. – jww Aug 27 '14 at 19:01
  • @jww - I agree about verify_hostname (hence it was last resort). The problem was resolved by upgrading IO::Socket::SSL in the end. Thanks! – Ben Holness Aug 27 '14 at 19:43

1 Answers1

9

If SNI might be a problem depends on the module you use and their versions:

  • LWP uses IO::Socket::SSL since version 6.0 as the backend SSL library. Before that it used Crypt::SSLeay which does not support SNI and you can still enforce use of Crypt::SSLeay. But, while this might cause the server to return the wrong data it should in most cases not lead to verify problems, because Crypt::SSLeay does not verify if the name in the certificate matches the requested hostname (and thus does not detect man-in-the-middle attacks).
  • IO::Socket::SSL does SNI on the client side since version 1.56 (02/2012), but you need at least version 1.0 of OpenSSL. Support for older versions is disabled because of bugs in OpenSSL when interacting with some servers.

You can try to debug the issue with setting $IO::Socket::SSL::DEBUG=4 when running the code.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • *"IO::Socket::SSL does SNI since version 1.56"* - I think that's 1.83 for the server. See http://cpansearch.perl.org/src/SULLR/IO-Socket-SSL-1.83/Changes. – jww Aug 27 '14 at 19:06
  • Yes, but we are talking about LWP and this means client. I've made my answer more clear in this regard. – Steffen Ullrich Aug 27 '14 at 19:14
  • I was on version 1.53 of IO::Socket::SSL. Upgrading seems to have resolved it. Thanks! – Ben Holness Aug 27 '14 at 19:42