SSL connect attempt failed

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks!

Is there a way to pass a new SSH server host keys since it was changed in the host server or to update this key from a Perl scrip using Net::FTPSSL.
When my Perl script runs it gives this error message:

"Can't open xxx.xxx.xxx.xxx: SSL connect attempt failed"

Posting a test code here which gives the same error. If I use Filezilla, it detects that the server key was changed, asks to accept the new key and connects, but from the Perl script, it doesn't, I guess I have to send a flag or the key it sefl in the code, thats where my problem is, any suggestions?

Test Code:

#!/usr/bin/perl

use strict;
use warnings;

use Net::FTPSSL;

 open (STDERR, "> logfile.txt");  # Redirects STDERR to this file.

 my %connectionHash = (
     Port                => 21,
     Encryption          => 'E',
     Debug                => 1,
     OverridePASV         => 'xxx.xxx.xxx.xxx',
     Croak                => 0,
     PreserveTimestamp    => 0,
 );

my %sslHash = (
     #SSL_cert_file    => '',
     #SSL_reuse_ctx    => '',
     SSL_key_file    => 'MD5:9f:...f9',
     #SSL_ca_file        => '',
     #SSL_use_cert    => 1,
 );

 $connectionHash{SSL_Client_Certificate} = \%sslHash;

 my $ftps = Net::FTPSSL->new(
         'xxx.xxx.xxx.xxx:',
         %connectionHash,
     );

 $ftps->login ('user', 'pass') or warn "Could not login to xxx.xxx.xxx
+.xxx: ", $ftps->message;

 $ftps->nlst();
 $ftps->quit();
[download]

Thanks for looking!

Comment on SSL connect attempt failed Download Code

Replies are listed 'Best First'.
Re: SSL connect attempt failed by hippo (Bishop) on Aug 12, 2020 at 17:14 UTC
Net::FTPSSL as the name suggests uses FTP over SSL (or TLS) sometimes referred to as FTPS. This is entirely different from and unrelated to SSH so any change in the SSH key will have no effect. If something else on the server has changed then that might go some way to explaining it. Without more detail anything more would be guesswork. I suggest you try enabling debugging with `use IO::Socket::SSL 'debug4';` [download] and see if that gets you any further towards identifying the real problem. Good luck. 🦛	[reply] [d/l]
Re^2: SSL connect attempt failed by Anonymous Monk on Aug 12, 2020 at 17:41 UTC
Running with: `use IO::Socket::SSL 'debug4';` This is the running results: Net-FTPSSL Version: 0.27 Perl: 5.010001 [5.10.1], OS: linux Server (port): xxx.xxx.xxx.xxx (21) Keys: (Croak), (Encription), (Trace), (Debug), (Port) Values: (1), (E), (1), (1), (21) SKT <<< 220 ProFTPD 30a Server (jls) [xxx.xxx.xxx.xxx] SKT >>> AUTH TLS SKT <<< 234 AUTH TLS successful DEBUG: .../IO/Socket/SSL.pm:2805: new ctx 43837622 DEBUG: .../IO/Socket/SSL.pm:1503: start handshake DEBUG: .../IO/Socket/SSL.pm:684: ssl handshake not started DEBUG: .../IO/Socket/SSL.pm:720: not using SNI because hostname is unk +nown DEBUG: .../IO/Socket/SSL.pm:773: set socket to non-blocking to enforce + timeout=120 DEBUG: .../IO/Socket/SSL.pm:786: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:789: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:799: ssl handshake in progress DEBUG: .../IO/Socket/SSL.pm:809: waiting for fd to become ready: SSL w +ants a read first DEBUG: .../IO/Socket/SSL.pm:829: socket ready, retrying connect DEBUG: .../IO/Socket/SSL.pm:786: call Net::SSLeay::connect DEBUG: .../IO/Socket/SSL.pm:789: done Net::SSLeay::connect -> -1 DEBUG: .../IO/Socket/SSL.pm:792: local error: SSL connect attempt fail +ed DEBUG: .../IO/Socket/SSL.pm:795: fatal SSL error: SSL connect attempt +failed DEBUG: .../IO/Socket/SSL.pm:1920: downgrading SSL only, not closing so +cket DEBUG: .../IO/Socket/SSL.pm:2827: free ctx 43837616 open=43837622 DEBUG: .../IO/Socket/SSL.pm:2838: OK free ctx 43837622 TLSv1: SSL connect attempt failed [download] Any suggestions? Thanks!	[reply] [d/l] [select]
Re^3: SSL connect attempt failed by hippo (Bishop) on Aug 12, 2020 at 19:38 UTC
Your stated versions of Perl (5.10) and Net::FTPSSL (0.27) are very old. It's therefore likely that your versions of IO::Socket::SSL and Net::SSLeay (and probably openssl) are very old too. You might consider upgrading, or at least running the code on a much newer system. It's possible that the TLS versions permitted on the server are newer than your very old client will support. 🦛	[reply]
Re: SSL connect attempt failed by jcb (Parson) on Aug 13, 2020 at 01:15 UTC
As a wild guess, I will speculate that you are declaring a certificate hash as `SSL_key_file` on line 22. If so, and the server's certificate has changed, you will need to update that choice of pinned certificate — after confirming with your provider that the certificate actually has changed instead of you observing a MITM attack. Also, as another monk mentioned, you seem to be using very old modules — your provider may have discontinued support for SSL and TLS prior to 1.2; if your copies of the relevant libraries are too old to support TLS 1.2, you would not be able to connect.	[reply] [d/l]
Re^2: SSL connect attempt failed by Anonymous Monk on Aug 13, 2020 at 13:17 UTC
Is it possible to run Net::FTPSSL from the command line? I notice this line in the logs "not using SNI because hostname is unknown".	[reply]
Re^3: SSL connect attempt failed by jcb (Parson) on Aug 14, 2020 at 01:12 UTC
On line 30, you blanked out an IP address. Because you are connecting to the server using an IP address, Server Name Indication (where the hostname is sent in cleartext as part of the initial TLS negotiation to allow a server handling multiple sites to choose which certificate to present) is not usable. If FileZilla connects successfully given the same IP address, SNI (or lack thereof) is not causing your problem.	[reply]
Re: SSL connect attempt failed by Anonymous Monk on Aug 13, 2020 at 22:01 UTC
So far as I am aware, it is not possible for the participants in a SSL/TLS exchange to affect the certificates that control that exchange. ("For, I think, very obvious reasons.") If the keys have changed, you must update them "out-of-band."	[reply]


Problems? Is your data what you think it is?
	PerlMonks