Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34.

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks, Below is Perl code that uses Net::LDAPS for the LDAPS SSL connection which seems to be working for Perl 5.34 version and not with 5.24 and 5.26 Perl versions.

use warnings;
use strict;
use Net::LDAPS;
use IO::Socket::SSL qw(debug3);
use Data::Dumper;

my ($hostname, $port, $localaddr, $clientcert, $clientkey, $verify, $c
+afile);

$hostname = $ARGV[0];
$port = $ARGV[1];
$localaddr = $ARGV[2];
$clientcert = $ARGV[3];
$clientkey = $ARGV[4];
$verify = $ARGV[5],
$cafile = $ARGV[6];

&get_ldaps_connection_object;
                                                
##print "\nLDAPS ::: $ldaps\n";

##print Dumper($ldaps);

sub get_ldaps_connection_object
{
    my $ldaps = Net::LDAPS->new("$hostname",
                             port => "636",
                             timeout => 120,
                             scheme => 'ldaps',                       
+      
                 localaddr => '',
                 clientcert => '',
                             clientkey => '',
                 verify => "require",
                 cafile => "$cafile") or die "$@";
                                                
    return $ldaps;
    
}
[download]

Below is the output of the above Perl program from Perl version 5.26 (same for 5.24) and 5.34.

## perl ldaps_connection.pl with Perl version 5.26.

DEBUG: .../IO/Socket/SSL.pm:2807: new ctx 60600432
DEBUG: .../IO/Socket/SSL.pm:659: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:661: socket connected
DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:717: using SNI with hostname server name
DEBUG: .../IO/Socket/SSL.pm:752: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:773: set socket to non-blocking to enforce
+ timeout=120
DEBUG: .../IO/Socket/SSL.pm:786: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:789: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:799: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:809: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:829: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:786: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2661: ok=0 [0] SERVER NAME
DEBUG: .../IO/Socket/SSL.pm:789: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:792: SSL connect attempt failed

DEBUG: .../IO/Socket/SSL.pm:792: local error: SSL connect attempt fail
+ed error:1416F086:SSL routines:tls_process_server_certificate:certifi
+cate verify failed
DEBUG: .../IO/Socket/SSL.pm:795: fatal SSL error: SSL connect attempt 
+failed error:1416F086:SSL routines:tls_process_server_certificate:cer
+tificate verify failed
DEBUG: .../lib/IO/Socket.pm:49: ignoring less severe local error 'IO::
+Socket::IP configuration failed', keep 'SSL connect attempt failed er
+ror:1416F086:SSL routines:tls_process_server_certificate:certificate 
+verify failed'
DEBUG: .../IO/Socket/SSL.pm:2829: free ctx 60600432 open=60600432
DEBUG: .../IO/Socket/SSL.pm:2833: free ctx 60600432 callback
DEBUG: .../IO/Socket/SSL.pm:2840: OK free ctx 60600432
Bad file descriptor at ldaps_connection.pl line 8, <DATA> line 960.
[download]

## Perl ldaps_connection.pl with Perl version 5.34

DEBUG: .../IO/Socket/SSL.pm:763: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:1178: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:1178: global error: Undefined SSL object
DEBUG: .../IO/Socket/SSL.pm:765: socket connected
DEBUG: .../IO/Socket/SSL.pm:788: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:830: using SNI with hostname SERVER NAME
DEBUG: .../IO/Socket/SSL.pm:865: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:881: set socket to non-blocking to enforce
+ timeout=120
DEBUG: .../IO/Socket/SSL.pm:895: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:898: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:908: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:918: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:938: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:895: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2866: ok=1 [0] SERVER NAME
DEBUG: .../IO/Socket/SSL.pm:1841: scheme=ldap cert=51849968
DEBUG: .../IO/Socket/SSL.pm:1851: identity=SERVER NAME
DEBUG: .../IO/Socket/SSL.pm:2913: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:898: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:908: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:918: waiting for fd to become ready: SSL w
+ants a read first
DEBUG: .../IO/Socket/SSL.pm:938: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:895: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:898: done Net::SSLeay::connect -> 1
DEBUG: .../IO/Socket/SSL.pm:953: ssl handshake done
LDAP ::: Net::LDAPS=HASH(0x6c4740)


LDAPS ::: Net::LDAPS=HASH(0x34119a8)
DEBUG: .../IO/Socket/SSL.pm:3066: free ctx 45839744 open=45839744
DEBUG: .../IO/Socket/SSL.pm:3070: free ctx 45839744 callback
DEBUG: .../IO/Socket/SSL.pm:3077: OK free ctx 45839744
[download]

My question is how to find which modules or what has been changed in Perl version 5.34 works for LDAPS SSL connection.
can I make it work for Perl version 5.24 itself and what needs to be done for the same?
Can help regarding this would be appreciated.

Thank you.

Comment on Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. Select or Download Code

Replies are listed 'Best First'.
Re: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by hippo (Archbishop) on Oct 20, 2021 at 09:51 UTC
Assuming that they are all trying to connect to the same server, the first thing to look at is bringing the old versions of Mozilla::CA up to date. That might be all you need and is an easy fix if so. 🦛	[reply]
Re^2: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by Anonymous Monk on Oct 20, 2021 at 10:40 UTC
Hi, Thank you for the revert. I have installed a recent version of MOZILLA:CA (20211001), but still, it seems not working and gives the same error. Note that I also installed the latest version of Net::SSLeay which didn't help either. While installing the latest version of IO::Socket I am getting a below error even with the force option. `C:\Strawberry\c\bin\gmake.exe install UNINST=1 -- OK Stopping: 'install' failed for 'IO::Socket'. Failed during this command: TODDR/IO-1.48.tar.gz : make_test NO but failu +re ignored because 'force' in effect` [download] Thank you.	[reply] [d/l]
Re^3: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by syphilis (Archbishop) on Oct 20, 2021 at 11:24 UTC
C:\Strawberry\c\bin\gmake.exe ... That suggests that perl-5.24 and perl-5.26 are both Strawberry Perl. But what is perl-5.34 ? AFAIK it can't be Strawberry Perl because no Strawberry Perl 5.34 has yet been released. Could it be that the difference in behaviour arises because, unlike 5.24 and 5.26, 5.34 is running on a different operating system ? What is the output of `perl -V:archname` for each of the three perls ? Cheers, Rob	[reply] [d/l]
Re^4: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by Anonymous Monk on Oct 20, 2021 at 14:41 UTC
Re^5: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by Anonymous Monk on Oct 20, 2021 at 14:47 UTC
Some notes below your chosen depth have not been shown here
Re^3: Perl Net::LDAPS issue with Perl version 5.24 and 5.26, works with Perl version 5.34. by ikegami (Patriarch) on Oct 22, 2021 at 13:58 UTC
Wait, are you saying you used force for other modules? If you install modules that result in errors, you shouldn't be surprised when things don't work.	[reply]