1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1104296: Net::SMTP::TLS fails when with hostname verification faile

    From Peter Palfrader@21:1/5 to All on Mon Apr 28 14:40:02 2025
    Package: libnet-smtp-tls-perl
    Version: 0.12-4
    Severity: important
    Tags: patch

    Hi,

    after upgrading to Debian 12, some of our tooling fell over with
    | Couldn't start TLS: hostname verification failed

    Turns out, Net::SMTP::TLS does not provide the hostname to
    the code that in the end tries to verify the CN, so that
    code in turn ends up using the socket endpoint IP address.

    To reproduce:


    weasel@gander:~$ perl -MNet::SMTP::TLS -e '$smtp = Net::SMTP::TLS->new("mailly.debian.org")'
    Couldn't start TLS: hostname verification failed
    at -e line 1.

    This seems like it might be a sane fix:
    --- TLS.pm 2025-04-28 14:22:13.523427780 +0200
    +++ /usr/share/perl5/Net/SMTP/TLS.pm 2025-04-28 14:22:24.631519263 +0200
    @@ -178,7 +178,7 @@
    if(not $num == 220){
    croak "Invalid response for STARTTLS: $num $txt\n";
    }
    - if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
    + if(not IO::Socket::SSL::socket_to_SSL($me->{sock}, SSL_verifycn_name=>$me->{Host})){
    croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";
    }
    $me->hello();

    in sub starttls.

    With that patch applied, things work:

    weasel@gander:~$ perl -MNet::SMTP::TLS -e '$smtp = Net::SMTP::TLS->new("mailly.debian.org")'
    weasel@gander:~$


    Cheers,
    --
    | .''`. ** Debian **
    Peter Palfrader | : :' : The universal
    https://www.palfrader.org/ | `. `' Operating System
    | `- https://www.debian.org/

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway
  • From gregor herrmann@21:1/5 to Peter Palfrader on Wed May 7 22:00:02 2025
    On Mon, 28 Apr 2025 12:26:52 +0000, Peter Palfrader wrote:

    after upgrading to Debian 12, some of our tooling fell over with
    | Couldn't start TLS: hostname verification failed
    Turns out, Net::SMTP::TLS does not provide the hostname to
    the code that in the end tries to verify the CN, so that
    code in turn ends up using the socket endpoint IP address.

    Thanks!

    Forwarded upstream as https://rt.cpan.org/Ticket/Display.html?id=164994

    2 remarks:

    1) AFAIK Net::SMTP supports TLS since quite some time, so
    Net::SMTP::TLS might be unneeded by now.

    2) Regarding the patch:

    - if(not IO::Socket::SSL::socket_to_SSL($me->{sock})){
    + if(not IO::Socket::SSL::socket_to_SSL($me->{sock}, SSL_verifycn_name=>$me->{Host})){
    croak "Couldn't start TLS: ".IO::Socket::SSL::errstr."\n";

    Looking at IO::Socket::SSL's documentation (admittedly on my unstable machine):

    socketToSSL() and socket_to_SSL()
    use IO::Socket::SSL->start_SSL() instead

    I see the point of keeping upstream's use of socket_to_SSL(); just
    another hint that Net::SMTP::TLS smells a bit unfresh …

    But yeah, adding this change looks like an improvement over the
    status quo.


    Cheers,
    gregor

    --
    .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
    : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
    `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
    `-

    -----BEGIN PGP SIGNATURE-----

    iQKTBAEBCgB9FiEE0eExbpOnYKgQTYX6uzpoAYZJqgYFAmgbuXlfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEQx RTEzMTZFOTNBNzYwQTgxMDREODVGQUJCM0E2ODAxODY0OUFBMDYACgkQuzpoAYZJ qgbwOQ/+Jv9E6DNBLGt4gg7iHHuQ3jOy2Q+fde9Ntb8SzeXD6eQlVVHQ5LCxIBvQ kfs64mbjQ8j0pMybGLQBgSF5lJCa9quTIbWbHhQUvVQLrTn3UK49HbPHYUuHFC65 79YVGIwUSBF7WBxSDGnOUAgWakUOUnlySkLO/NU3VvmDKC22YFpCdvUo20LsSzYk bh1uexb7LNAfkFynrlZnTYBbIqS7USaAa2ZOadgDU4NjI1lNiYeOgoa8F2Z8f3lK FeUHnbNQNa3T+lPNAtZQrqsqZT30JLUxKU6siA8CnayXskvTx6V0+pdQhcPRMw0d kOSik2dz5TufL9A3grXwNHUdWGjU7wY9AETRAZHm5mCDgdP2fBXn9Jexm2MlA3Bf 3fLlFqRJtqK8N+vjJbUE0jKw33BsSysaBpiF3G/ZtSc/ncr2pBCkYK+G5ZjTtsa7 U+gmTKxfFIZwRx+WBRHsZhcEikpZzfe32jXJ7G18oXgbxkJvrGP/lH2dFygFXx04
    J0ej