Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

by rich101v2 (Initiate)
on Feb 11, 2014 at 11:57 UTC ( #1074400=perlquestion: print w/ replies, xml ) Need Help??
rich101v2 has asked for the wisdom of the Perl Monks concerning the following question:

I have the usual headache when trying to send an email from Perl which requires TLS. I'm running Strawberry Perl on a Windows7 machine, and I'm running code that works on other Windows PCs (in the past), so it is basically a configuration issue rather than basic coding, but it is an issue I see happening to other guys quite a bit. I recall in the past I always had problems getting this to run on those PCs also. The code is basically:

$email = new Net::SMTP::TLS($account_smtp,Hello=>$account_smtp, Port=>25,User=>$account_user,Password=>$account_pass);

So the accounts and passwords are correct, as that works on another machine in the company. The initial error I got was: invalid SSL_version specified at C:/strawberry/perl/vendor/lib/IO/Socket/SSL.pm line 418

But I applied the following workaround to C:\strawberry\perl\vendor\lib\Crypt\SSLeay\SSL.pm line 1602:

# old code m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))$}i # new code m{^(!?)(?:(SSL(?:v2|v3|v23|v2/3))|(TLSv1[12]?))}i

That now seems to work, but I get the following error further down the line: Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I also tried updating Crypt::SSLeay in case it was old:

cpan> install Crypt::SSLeay Fetching with LWP: http://cpan.strawberryperl.com/authors/01mailrc.txt.gz Fetching with LWP: http://cpan.strawberryperl.com/modules/02packages.details.txt.gz Fetching with LWP: http://cpan.strawberryperl.com/modules/03modlist.data.gz Database was generated on Thu, 19 Dec 2013 14:05:27 GMT Updating database file ... Done! Crypt::SSLeay is up to date (0.64).

But that made no difference, has anyone got any ideas ?

Comment on Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Select or Download Code
Re: Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed ( Net::SMTP::TLS )
by Anonymous Monk on Feb 11, 2014 at 13:16 UTC
Re: Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
by sundialsvc4 (Abbot) on Feb 11, 2014 at 13:23 UTC

    I did a search on "14090086" at my personal-favorite search engine, DuckDuckGo, and found a number of hits that I did not examine too closely.   But one thread here at LinuxQuestions.org did seem to get fairly close to the point and to a course of action for diagnosing it.

    First of all, there is a more detailed error-message, which is like yours:
    Peer certificate cannot be authenticated with known CA certificates: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    Then, it was suggested to “Try to get verbose information from openssl s_client -host host -port port.”   A number of other related suggestions followed, along with the expected small amount of snarking about this-or-that, but it is clear that this thread was on to the essential problem right away.   In the final post of that thread (#15), their user says that he solved his problem, and gives a fair number of details as to how he did it.   HTH.

Re: Couldn't start TLS: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
by noxxi (Acolyte) on Feb 12, 2014 at 21:56 UTC

    Patching Crypt::SSLeay should not help because Net::SMTP::TLS uses IO::Socket::SSL which uses Net::SSLeay and not Crypt::SSLeay. But contrary to your description your change applies to IO::Socket::SSL and not Crypt::SSLeay, so it works a bit even if the general approach is wrong. The real problem is that Net::SMTP::TLS uses SSL_version in a wrong and never documented way and thus broke once the version check was done more strict (and the intended version string never did what the author tried to do). The problem you run into is known for several years (rt#77400) but the package is not changed since 2006 so it will probably never be fixed.

    I would recommend you to just use Net::SSLGlue::SMTP, which patches the core module Net::SMTP to provide TLS support. You'll probably need to specify a SSL_ca_file or SSL_ca_path to specify where your CA are, or if you don't care at all about security you could set SSL_verify_mode to 0 (but in this case you should ask yourself why you use TLS at all).

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1074400]
Approved by Corion
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (6)
As of 2014-09-20 15:36 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How do you remember the number of days in each month?











    Results (160 votes), past polls