Net::SSLeay gets ":SSL3_GET_SERVER_CERTIFICATE:certificate verify failed" failure when accessing pop.gmail.com, as seen by so many others

Question

I have a perl script which downloads email from pop.gmail.com:995 using the CPAN Mail::Box::POP3s package. The source code to do this is:

   my $pop = Mail::Box::POP3s->new(username => $recordsUser,
          password => $recordsPassword,
          server_name => $pop3Server);
   my($nrOfMsgs) = $pop->nrMessages;
   print "Received $nrOfMsgs\n";

On one Windows 10 system, this works perfectly. But on another it fails, with the signature:

DEBUG: .../IO/Socket/SSL.pm:1890: new ctx 76411024
DEBUG: .../IO/Socket/SSL.pm:393: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:395: socket connected
DEBUG: .../IO/Socket/SSL.pm:413: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:443: using SNI with hostname pop.gmail.com
DEBUG: .../IO/Socket/SSL.pm:479: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1359: SSL connect attempt failed with unknown error

DEBUG: .../IO/Socket/SSL.pm:485: fatal SSL error: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1924: free ctx 76411024 open=76411024
DEBUG: .../IO/Socket/SSL.pm:1932: OK free ctx 76411024
ERROR: Cannot connect to pop.gmail.com:995 for POP3: Bad file descriptor
ERROR: Cannot create POP3 client for inbox.
Can't call method "nrMessages" on an undefined value at ./emailToNotes.pl line 110.

Both the systems are running Windows10 Pro (uptodate as of 2019) with Active Perl 5.16.3. On the system that works, I have: IO::Socket::SSL version 1.84 Net::SSLeay version 1.52 Openssl version 1.02 On the system that fails, I have: IO::Socket::SSL version 1.962 Net::SSLeay version 1.55 Openssl verson 1.1.1d Looking at all the previous mentions of this error syndrome on the web, I tried: - patching IO::Socket::SSL to set $can_client_sni to 0 - downloading the trusted CA chain from https://curl.haxx.se/ca/cacert.pem , and add it to Net::SSLeay with the call Net::SSLeay::X509_STORE_add_crl None of these solve the problem. The only difference in the Windows 10 of the two systems is that the working one had Windows 10 Pro installed in 2018, while the new system was just purchased 2 weeks ago. I have been trying different solutions for 2 days now, and could surely use some help from experts such as Steffen Ullrich and others. Thanks in advance.

Answer 1

First, notice that the software you are using are in parts quite old. The versions of IO::Socket::SSL and Net::SSleay are 7 years old and a lot of improvements where made in these years. Interestingly though your versions of OpenSSL seems to be much newer and you are also running Windows 10 which suggests a strange mix of recent and terribly old software.

The version 1.84 of IO::Socket::SSL which you've used on one machine does not validate certificates by default, so it will work even if something is wrong with the certificates. The version 1.962 used on the other machine insists on validating the certificate by default instead. This means that both machines could actually have the same problem related to certificates but you'll notice it only on one machine.

Unfortunately Mail::POP3Client (which is unsupported since 7 years) does not have any way to set which trust store gets used but relies on a properly setup trust store on the system. Only such setup is typically not the case with OpenSSL (used by Perl) on Windows. Newer versions of IO::Socket::SSL will automatically pickup the trust store Mozilla::CA if it is installed but not the old versions you are using.

I suggest that you move away from this old software stack. Use newer versions of IO::Socket::SSL and Net::SSLeay and also install Mozilla::CA as trust store. I recommend to also use Net::POP3 instead of Mail::POP3Client, since the latter is long out of support and the first gives you also more control over certificate validation. I'm not sure about the ActivePerl you are using but the free Strawberry Perl usually comes with a fairly recent software stack.

Answer 2

You can use either of following

use strict;
use warnings;
use feature 'say';

use Mail::POP3Client;

my $mail;

$mail->{user}   = 'your_account@gmail.com';
$mail->{passwd} = 'your_password';
$mail->{host}   = 'pop.gmail.com';

my $pop = new Mail::POP3Client( 
                            USER     => $mail->{user},
                            PASSWORD => $mail->{passwd},
                            HOST     => $mail->{host},
                            USESSL   => 'true',
                            DEBUG    => 0
                           );

$pop->Connect() or die $pop->Message();

say 'Messages: ' . $pop->Count();

$pop->Close();

Or

use strict;
use warnings;
use feature 'say';

use Mail::POP3Client;
use IO::Socket::SSL;

$IO::Socket::SSL::DEBUG = 0;  # Level 0..3

my($mail,$ssl);

$mail->{user}   = 'your_account@gmail.com';
$mail->{passwd} = 'your_password';

$ssl->{host}    = 'pop.gmail.com';
$ssl->{port}    = 995;
$ssl->{proto}   = 'tcp';

my $socket = IO::Socket::SSL->new( 
                        PeerAddr => $ssl->{host},
                        PeerPort => $ssl->{port},
                        Proto    => $ssl->{proto}
                    ) || die "No socket!";

my $pop = Mail::POP3Client->new();

$pop->User($mail->{user});
$pop->Pass($mail->{passwd});
$pop->Socket($socket);

$pop->Connect() or die $pop->Message();

say 'Messages: ' . $pop->Count();

$pop->Close();

A code with use of Net::POP3 module

use strict;
use warnings;
use feature 'say';

use Net::POP3;
use Data::Dumper;

my $mail;

$mail->{host}   = 'pop.gmail.com';
$mail->{userid} = 'your_account@gmail.com';
$mail->{passwd} = 'your_password';

my $pop = Net::POP3->new($mail->{host}, SSL => 1, Timeout => 60);

if ($pop->login($mail->{userid}, $mail->{passwd}) > 0) {
  my $msgnums = $pop->list; # hashref of msgnum => size
  say 'Messages: ' . scalar keys %$msgnums;
}

$pop->quit;

Tested with following modules

cpan -D Mail::POP3Client
Loading internal logger. Log::Log4perl recommended for better logging
CPAN: CPAN::SQLite loaded ok (v0.217)
Database was generated on Thu, 02 Apr 2020 02:48:07 GMT
Mail::POP3Client
-------------------------------------------------------------------------
        CPAN: Module::CoreList loaded ok (v5.20200314)
(no description)
        S/SD/SDOWD/Mail-POP3Client-2.19.tar.gz
        C:\bin\Portable\strawberry-perl\perl\site\lib\Mail\POP3Client.pm
        Installed: 2.19
        CPAN:      2.19  up to date
        Sean Dowd (SDOWD)
        pop3client-USEMYCPANADDRESSFORHELP@dowds.net


cpan -D IO::Socket::SSL
Loading internal logger. Log::Log4perl recommended for better logging
CPAN: CPAN::SQLite loaded ok (v0.217)
Database was generated on Thu, 02 Apr 2020 02:48:07 GMT
IO::Socket::SSL
-------------------------------------------------------------------------
        (no description)
        S/SU/SULLR/IO-Socket-SSL-2.068.tar.gz
        C:\bin\Portable\strawberry-perl\perl\vendor\lib\IO\Socket\SSL.pm
        Installed: 2.067
        CPAN:      2.068  Not up to date
        Steffen Ullrich (SULLR)
        Steffen_Ullrich@genua.de


cpan -D Net::POP3
Loading internal logger. Log::Log4perl recommended for better logging
CPAN: CPAN::SQLite loaded ok (v0.217)
Database was generated on Fri, 03 Apr 2020 03:27:32 GMT
Net::POP3
-------------------------------------------------------------------------
        CPAN: Module::CoreList loaded ok (v5.20200314)
(no description)
        S/SH/SHAY/libnet-3.11.tar.gz
        C:\bin\Portable\strawberry-perl\perl\lib\Net\POP3.pm
        Installed: 3.11
        CPAN:      3.11  up to date
        Steve Hay (SHAY)
        shay@cpan.org