[Fusioninventory-devel] Fwd: LWP and certificate checking

Gonéri Le Bouder goneri at rulezlan.org
Wed Aug 10 21:56:41 UTC 2011


2011/6/28 Gonéri Le Bouder <goneri at rulezlan.org>:
> 2011/6/28 Guillaume Rousse <guillomovitch at gmail.com>
>> Le 28/06/2011 11:57, Gonéri Le Bouder a écrit :
>> > 2011/6/28 Guillaume Rousse <guillomovitch at gmail.com

> This means we need to rebuilt the perl tree on the =~ 60 arch we already
> have.
> This will be long, say 1 year. That's the reason why I prefer a soft
> transition.
The attached patch restore Net::SSL. The big difference is IO::Socket::SSL check
hostname directly within OpenSSL whereas Net::SSL don't. We have to do this
ourself which is error-prone.
An interesting point with this patch is OpenSSL stuff are loaded only
when needed. This
is more than 10MB memory saved here on my system.

Guillaume, If you have no objection, I will apply it and then backport
it in 2.1.x branch.

tosh-r630:~/fusioninventory/agent (2.2.x+netssl)$perl -Ilib
./t/components/client/ssl.t
1..14
ok 1 - trusted certificate, correct hostname: connection success
(IO::Socket::SSL)
ok 2 - trusted certificate, correct hostname: connection success (Net::SSL)
ok 3 - trusted certificate, alternate hostname: connection success
(IO::Socket::SSL)
ok 4 # skip Alternate hostname is broken with Net::SSL/Crypt::SSLeay
ok 5 - trusted certificate, joker: connection succes (IO::Socket::SSL)
ok 6 - trusted certificate, joker: connection success (Net::SSL)
ok 7 - trusted certificate, wrong hostname: connection failure (IO::Socket::SSL)
ok 8 - trusted certificate, wrong hostname: connection failure (Net::SSL)
ok 9 - trusted certificate, wrong hostname, no check: connection
success (IO::Socket::SSL)
ok 10 - trusted certificate, wrong hostname, no check: connection
success (Net::SSL)
ok 11 - untrusted certificate, correct hostname: connection failure
(IO::Socket::SSL)
ok 12 - untrusted certificate, correct hostname: connection failure (Net::SSL)
ok 13 - untrusted certificate, correct hostname, no check: connection
success (IO::Socket::SSL)
ok 14 - untrusted certificate, correct hostname, no check: connection
success (Net::SSL)

Best regards,
-- 
     Gonéri Le Bouder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-restore-Net-SSL-Crypt-SSL-support.patch
Type: text/x-patch
Size: 12191 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/fusioninventory-devel/attachments/20110810/76aeeae0/attachment.bin>


More information about the Fusioninventory-devel mailing list