Bug#507402: LWP::Protocol::https/_check_sock() has insufficient certificate checking
Daniel T Chen
crimsun at fungus.sh.nu
Sun Nov 30 21:42:21 UTC 2008
Package: libwww-perl
Version: 5.820-1
Forwarded from Ubuntu #198874
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):
The reporter states:
"See LWP::Protocol::https class, the _check_sock function:
we don't execute $sock->get_peer_verify before checking the cert's
subject against $req->header("If-SSL-Cert-Subject").
$sock->get_peer_verify gets called only *after* we have pushed all of
our request to the server (possibly containing critical data including
passwords) -- that is BAAAAD. Basically, all of that renders SSL support
in LWP::UserAgent not only meaningless, but also gives the user
impression of security, which is not only bad, but almost a malicious
thing to do.
More experimentation has shown that this only happens when doing "use
IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows
the opposite behaviour: unverified server certs are NEVER accepted. I
don't even know how to set the verification level und neither seems to
be documented what exactly gets verified.... (server name at least?? How
about redirects?....)
Please fix this and/or report it upstream because I consider it a major
issue."
More information about the pkg-perl-maintainers
mailing list