Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Hostname verification failed #30

Open
Lerato6221 opened this issue May 2, 2023 · 6 comments
Open

Hostname verification failed #30

Lerato6221 opened this issue May 2, 2023 · 6 comments

Comments

@Lerato6221
Copy link

Hi I am struggling with this, I get the following error,

Use of uninitialized value $2 in concatenation (.) or string at /usr/share/perl5/IO/Socket/SSL.pm line 792.
May 02 11:51:03 kali sendemail[50331]: ERROR => TLS setup failed: hostname verification failed

Please assist.

@derryb-ke
Copy link

any solution to this please

@Danie10
Copy link

Danie10 commented May 20, 2023

I've started seeing the identical error on my Manjaro Linux with sendEmail.

@StomproLARL2023
Copy link

StomproLARL2023 commented Jul 5, 2023

It seems like sendemail needs a method of disabling TLS certificate validation. So it can be used to send to hosts without valid TLS certs, as in self generated certificates.

For example, out of the box Debian 12 Bookworm with sendemail and exim4 cannot be used without using the -o tls=no option.

Exim > 4.93~RC1-4 defaults to having TLS on with a self signed cert. So the STARTTLS will be advertised, but the cert is self signed.

exim4 (4.93~RC1-4) unstable; urgency=low

  * Add libnet-ssleay-perl dependency to "basic" autopkg test. We do not need
    it yet but will forget for sure to add it when we do.
  * Following upstream defaults do not disable incoming TLS by default - i.e.
    if MAIN_TLS_ENABLE is not set - but use a self-signed certificate.
    (Relevant upstream changes: tls_advertise_hosts defaults to * for TLS
    builds since 4.87_JH/18, on-demand generation of self-signed certificate
    for inbound SMTP since 4.88_JH/05, 4.93_JH/23 TLS enabled build by
    default.)

Line 792 of /usr/share/perl5/IO/Socket/SSL.pm (libio-socket-ssl-perl 2.081-2), seems to a regex looking for a hostname or IP.


    786         if ( $ctx->{verify_name_ref} ) {
    787             # need target name for update
    788             my $host = $arg_hash->{SSL_verifycn_name}
    789                 || $arg_hash->{SSL_hostname};
    790             if ( ! defined $host ) {
    791                 if ( $host = $arg_hash->{PeerAddr} || $arg_hash->{PeerHost} ) {
    792                     $host =~s{^
    793                         (?:
    794                             ([^:\[]+) |    # ipv4|host
    795                             (\[(.*)\])     # [ipv6|host]
    796                         )
    797                         (:[\w\-]+)?        # optional :port
    798                     $}{$1$2}x;             # ipv4|host|ipv6
    799                 }
    800             }
    801             ${$ctx->{verify_name_ref}} = $host;


One way that seems to work to get around this is to tell IO::Socket::SSL to not try to verify the certificate by setting SSL_verify_mode => 0

        ## Start TLS if possible
        if ($conf{'tls_server'} == 1 and $conf{'tls_client'} == 1 and $opt{'tls'} =~ /^(yes|auto)$/) {
            printmsg("DEBUG => Starting TLS", 2);
            if (SMTPchat('STARTTLS')) { quit($conf{'error'}, 1); }
            if (! IO::Socket::SSL->start_SSL($SERVER, SSL_version => 'SSLv23:!SSLv2', SSL_verify_mode => 0 )) {
                            #SSL_cert_file => '/etc/ssl/certs/ca-certificates.crt' )) {
                quit("ERROR => TLS setup failed: " . IO::Socket::SSL::errstr(), 1);
            }

The docs say to use SSL_VERIFY_NONE instead of 0, but the use of use strict; seems to prevent that from working.

@hubertmeier
Copy link

Hi,

Since Update on Raspbian bookworm I have the same problem, identical configuration is working under Raspbian bullseye ...

Thank you

@abhi-io
Copy link

abhi-io commented Jun 12, 2024

This worked for me

  1. uninstall sendemail
  2. apt install apt-transport-https libio-socket-inet6-perl -y
  3. curl 'http://ftp.cn.debian.org/debian/pool/main/s/sendemail/sendemail_1.56-5.2~bpo12+1_all.deb' -O
  4. dpkg -i sendemail_1.56-5.2~bpo12+1_all.deb

@wrappingup
Copy link

thank u for leading down right path @abhi-io. note for a person that want to keep repo aligning, 1.56-5.2 is now available by bookworm-backports. i install this and it also fix. 😊

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants