CODEWITHSUNDEEP
perlsslldapperl-module
user1726707
user1726707

Reputation: 95

Net::LDAPS throws unknown error during SSL connect

I am trying to connect to an LDAP server using the Net::LDAPS module. I am passing the right username, password and capath to it. The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.

The sample code I am working with : 

my $ad_host = 'XYZ';
my $ad_port = 636;
my $ad_user = 'ABC';
my $ad_pass = '****';
my $ca_path = '<path to ca cert>';

my $ldap = Net::LDAPS->new(
                $ad_host,
                port   => $ad_port,
                verify => 'require',
                capath => $ca_path
);

Is it a known bug in the LDAPS module? Or am I missing out something apparent.

The debug logs:

DEBUG: .../IO/Socket/SSL.pm:179: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1427: new ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:309: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:311: socket connected
DEBUG: .../IO/Socket/SSL.pm:324: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:354: set socket to non-blocking to enforce  timeout=120
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1175: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

DEBUG: .../IO/Socket/SSL.pm:373: fatal SSL error: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1462: free ctx 21295632 open=21295632
DEBUG: .../IO/Socket/SSL.pm:1465: OK free ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:1175: IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)

Versions of the modules I am using :

...:~/test_perl$ perlmodver Net::LDAPS 0.05

...:~/test_perl$ perlmodver Net::LDAP 0.39

...:~/test_perl$ perlmodver IO::Socket::SSL 1.18

Upvotes: 2

Views: 2046

Answers (2)

user1726707
user1726707

Reputation: 95

This issue is resolved.

There are 2 ways to solve this :

Bypass the verification (Not recommended)

If you are using the "verify" attribute like the one in my code, you just have to comment it out. It will bypass the cert verification.

Add a soft link to the certificates

Maybe it is a behavior specific to trusty, because on lucid it was working fine. So, you need to create a soft link to all your pem files and place it in the CA Path. You can do this by running 

ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

Upvotes: 1

Chankey Pathak
Chankey Pathak

Reputation: 21676

If you look at the error you can see that certificate verification failed.

SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

You can either correct the certificate or ignore certificate verification by passing

verify => 'none'

On a sidenote, you can also use Net::LDAP if you pass ldaps:// as a prefix to $ad_host.

$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
                        verify => 'require',
                        capath => $ca_path);

Oops just noticed that you said

The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.

Then this looks like a configuration issue. Can you connect to your server using ldapsearch?

Upvotes: 1

Related Questions