The Joys of Implementing Secure Protocols

  • 23 July 2009

I get a lot of spam. I also have a lot of measures to defend against it. One method consists of a feedback loop that trains the spam filter with nice and nasty emails (often called ham and spam). Said method is implemented by means of two tiny Perl scripts. Basically the scripts do some mailbox inspection and shove all collected emails destined for training into two IMAP boxes. So far, so good. The problem is that the scripts stopped working, because I enforced the Secure Socket Layer (SSL) protocol at the IMAP server while doing an upgrade a few weeks ago. Encryption is always good in times like these, right? Well, yes, but the Perl scripts didn’t know how to use SSL. Let’s dive into the little hack and look for the problem.

I use the module Mail::IMAPClient for the IMAP stuff. Its documentation says that everyone wishing for SSL should use their own sockets and supply them to the IMAP object. In non-SSL mode the object likes to have the address of the IMAP server, an username and a password when being created. If SSL is used, then you can create the object and tell it about the SSL socket later. So that’s what I tried. While coding I also implemented the parameters for the key, its certificate and the certificate of the Certificate Authority. Using encryption without checking identities is pointless. It’s just a few lines anyway. There, done. Testing. Drumroll…and…it…doesn’t…work!

Ok, no problem. Let’s peek into the client/server conversation by using the tool ssldump. I have the key, so I can decrypt the data stream. The dump basically says that there is no connection. Ok, I used the option RawSocket instead of Socket; my fault. Corrected. Testing. No connection. Ok, I used the wrong selection of ciphers; my fault. Corrected. Testing. The layer 3 works, SSL works, but IMAP doesn’t. Mail::IMAPClient complains about an uninitialised variable called $server in its module. But that’s correct, I supplied the socket handle instead. Checking, testing. Doesn’t work. Ok, well, maybe I put back the server’s address into the object creation call. I have a socket, the module says it only needs the socket, so why not supply the server’s address a second time. It’s good to have a backup. Testing again – and it works!

Either I am getting old, it’s still too hot or some documentations aren’t meant to be parsed by human brains. Don’t get me wrong, Mail::IMAPClient does the job and I like it, but I could have done fine without this experience.

Let’s deploy the well-tested code on the production systems. Famous last words.

Sorry, the comment form is now closed.