Net::LDAPS 在 SSL 连接期间抛出未知错误
Net::LDAPS throws unknown error during SSL connect
我正在尝试使用 Net::LDAPS 模块连接到 LDAP 服务器。我将正确的用户名、密码和 capath 传递给它。具有相同版本中所有模块的相同代码在我的另一台机器上工作。但是在这台特定的机器上我看到了这个错误。
我正在使用的示例代码:
my $ad_host = 'XYZ';
my $ad_port = 636;
my $ad_user = 'ABC';
my $ad_pass = '****';
my $ca_path = '<path to ca cert>';
my $ldap = Net::LDAPS->new(
$ad_host,
port => $ad_port,
verify => 'require',
capath => $ca_path
);
这是 LDAPS 模块中的已知错误吗?还是我错过了一些明显的东西。
调试日志:
DEBUG: .../IO/Socket/SSL.pm:179: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1427: new ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:309: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:311: socket connected
DEBUG: .../IO/Socket/SSL.pm:324: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:354: set socket to non-blocking to enforce timeout=120
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1175: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:373: fatal SSL error: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1462: free ctx 21295632 open=21295632
DEBUG: .../IO/Socket/SSL.pm:1465: OK free ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:1175: IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)
我正在使用的模块版本:
...:~/test_perl$ perlmodver Net::LDAPS
0.05
...:~/test_perl$ perlmodver Net::LDAP
0.39
...:~/test_perl$ perlmodver IO::Socket::SSL
1.18
如果您查看错误,您会发现证书验证失败。
SSL connect attempt failed with unknown error..error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
您可以通过
更正证书或忽略证书验证
verify => 'none'
在旁注中,如果将 ldaps:// 作为前缀传递给 $ad_host,也可以使用 Net::LDAP。
$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
verify => 'require',
capath => $ca_path);
哎呀才注意到你说的
The same code with all the modules in the same version works on one of
my other machines. But on this particular machine I see this error.
那么这看起来像是配置问题。您可以使用 ldapsearch 连接到您的服务器吗?
此问题已解决。
有两种方法可以解决这个问题:
绕过验证(不推荐)
如果您像我的代码中那样使用 "verify" 属性,则只需将其注释掉即可。它将绕过证书验证。
向证书添加软link
也许这是 trusty 特有的行为,因为在 lucid 上它运行良好。因此,您需要为所有 pem 文件创建一个软 link 并将其放置在 CA 路径中。您可以通过 运行
ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0
我正在尝试使用 Net::LDAPS 模块连接到 LDAP 服务器。我将正确的用户名、密码和 capath 传递给它。具有相同版本中所有模块的相同代码在我的另一台机器上工作。但是在这台特定的机器上我看到了这个错误。
我正在使用的示例代码:
my $ad_host = 'XYZ';
my $ad_port = 636;
my $ad_user = 'ABC';
my $ad_pass = '****';
my $ca_path = '<path to ca cert>';
my $ldap = Net::LDAPS->new(
$ad_host,
port => $ad_port,
verify => 'require',
capath => $ca_path
);
这是 LDAPS 模块中的已知错误吗?还是我错过了一些明显的东西。
调试日志:
DEBUG: .../IO/Socket/SSL.pm:179: set domain to 2
DEBUG: .../IO/Socket/SSL.pm:1427: new ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:309: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:311: socket connected
DEBUG: .../IO/Socket/SSL.pm:324: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:354: set socket to non-blocking to enforce timeout=120
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:377: ssl handshake in progress
DEBUG: .../IO/Socket/SSL.pm:387: waiting for fd to become ready: SSL wants a read first
DEBUG: .../IO/Socket/SSL.pm:407: socket ready, retrying connect
DEBUG: .../IO/Socket/SSL.pm:367: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1175: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:373: fatal SSL error: SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1462: free ctx 21295632 open=21295632
DEBUG: .../IO/Socket/SSL.pm:1465: OK free ctx 21295632
DEBUG: .../IO/Socket/SSL.pm:1175: IO::Socket::INET6 configuration failederror:00000000:lib(0):func(0):reason(0)
我正在使用的模块版本:
...:~/test_perl$ perlmodver Net::LDAPS 0.05
...:~/test_perl$ perlmodver Net::LDAP 0.39
...:~/test_perl$ perlmodver IO::Socket::SSL 1.18
如果您查看错误,您会发现证书验证失败。
SSL connect attempt failed with unknown error..error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
您可以通过
更正证书或忽略证书验证verify => 'none'
在旁注中,如果将 ldaps:// 作为前缀传递给 $ad_host,也可以使用 Net::LDAP。
$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
verify => 'require',
capath => $ca_path);
哎呀才注意到你说的
The same code with all the modules in the same version works on one of my other machines. But on this particular machine I see this error.
那么这看起来像是配置问题。您可以使用 ldapsearch 连接到您的服务器吗?
此问题已解决。
有两种方法可以解决这个问题:
绕过验证(不推荐)
如果您像我的代码中那样使用 "verify" 属性,则只需将其注释掉即可。它将绕过证书验证。
向证书添加软link
也许这是 trusty 特有的行为,因为在 lucid 上它运行良好。因此,您需要为所有 pem 文件创建一个软 link 并将其放置在 CA 路径中。您可以通过 运行
ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0