search

noxxi / p5-io-socket-ssl

IO::Socket::SSL Perl Module
36 stars 60 forks source link

CERT_asHash() returns certificate validity date out by local UTC offset #103

Closed miiichael closed 3 years ago

miiichael commented 3 years ago

test.pl:

use IO::Socket::SSL;
use IO::Socket::SSL::Utils;

my $sock;
die unless ($sock=IO::Socket::SSL->new(PeerAddr => 'github.com', PeerPort => 443,));
my $h = CERT_asHash(($sock->peer_certificates())[0]);
my $t=scalar gmtime $h->{not_after};
print ("$h->{subject}{commonName} expires $t UTC (\@$h->{not_after})\n");

Output of perl test.pl:

github.com expires Wed Mar 30 15:59:59 2022 UTC (@1648655999)

Output of openssl s_client -connect github.com:443 2>&1 </dev/null |openssl x509 -noout -text|grep After

            Not After : Mar 30 23:59:59 2022 GMT
miiichael commented 3 years ago 
michael@joyola:~/dl$ perl test.pl
github.com expires Wed Mar 30 15:59:59 2022 UTC (@1648655999)
michael@joyola:~/dl$ TZ=UTC perl test.pl
github.com expires Wed Mar 30 23:59:59 2022 UTC (@1648684799)
michael@joyola:~/dl$ TZ=AWST perl test.pl
github.com expires Wed Mar 30 23:59:59 2022 UTC (@1648684799)
michael@joyola:~/dl$ TZ=anything perl test.pl
github.com expires Wed Mar 30 23:59:59 2022 UTC (@1648684799)
michael@joyola:~/dl$ echo $TZ

michael@joyola:~/dl$

🤔

noxxi commented 3 years ago

I cannot reproduce your problem. What version of Perl and Net::SSLeay are you using?

miiichael commented 3 years ago

Even with $TZ unset (and not just set to an empty value)?

michael@joyola:~/dl$ perl test.pl                                                                                                                                                                             
github.com expires Wed Mar 30 15:59:59 2022 UTC (@1648655999)
michael@joyola:~/dl$ TZ= perl test.pl                                                                                                                                                                         
github.com expires Wed Mar 30 23:59:59 2022 UTC (@1648684799)
michael@joyola:~/dl$ dpkg -l perl libnet-ssleay-perl libio-socket-ssl-perl                                                                                                                                    
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version      Architecture Description
+++-=====================-============-============-=================================================================
ii  libio-socket-ssl-perl 2.069-1      all          Perl module implementing object oriented interface to SSL sockets
ii  libnet-ssleay-perl    1.88-3+b1    amd64        Perl module for Secure Sockets Layer (SSL)
ii  perl                  5.32.1-3     amd64        Larry Wall's Practical Extraction and Report Language

I originally saw this on another machine (but am reporting from a machine with newer versions of most things).

michael@cnspc18:~/dev$ perl test.pl
github.com expires Wed Mar 30 15:59:59 2022 UTC (@1648655999)
michael@cnspc18:~/dev$ TZ= perl test.pl
github.com expires Wed Mar 30 23:59:59 2022 UTC (@1648684799)
michael@cnspc18:~/dev$ dpkg -l perl libnet-ssleay-perl libio-socket-ssl-perl
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                  Version          Architecture Description
+++-=====================-================-============-=================================================================
ii  libio-socket-ssl-perl 2.060-3          all          Perl module implementing object oriented interface to SSL sockets
ii  libnet-ssleay-perl    1.85-2+b1        amd64        Perl module for Secure Sockets Layer (SSL)
ii  perl                  5.28.1-6+deb10u1 amd64        Larry Wall's Practical Extraction and Report Language
miiichael commented 3 years ago

Okay, I now think this is a Net::SSLeay bug, specifically somewhere inside ASN1_TIME_timet().

*writes test case, prepares to write bug report*

Oh, someone already beat me to it...nearly two years ago: radiator-software/p5-net-ssleay#148.

miiichael commented 3 years ago

Oh, one of the comments in the linked ticket suggests switching from ASN1_TIME_timet() to ASN1_TIME_timet_gm(). Is this feasible?

noxxi commented 3 years ago

Oh, one of the comments in the linked ticket suggests switching from ASN1_TIME_timet() to ASN1_TIME_timet_gm(). Is this feasible?

This comment is about creating such a function so that the user can use it. There is no such function yet. Creating it will face the same problems as fixing ASN1_TIME_timet: there is no standardized function which can be used for this, i.e. neither libc has something (only some libc implementations) and neither all relevant OpenSSL and LibreSSL versions have it :(

noxxi commented 3 years ago

This will be fixed once https://github.com/radiator-software/p5-net-ssleay/issues/148 is fixed. A proposed fix is made available in https://github.com/radiator-software/p5-net-ssleay/pull/284