Bug#606058: IO::Socket::SSL ignores user request for peer verification
Salvatore Bonaccorso
carnil at debian.org
Mon Dec 6 06:55:46 UTC 2010
Hi Daniel, Hi Steffen
Daniel Kahn Gillmor reported to our Bugtracker in Debian the report
below (See: http://bugs.debian.org/606058). Steffen, what do you
think, would be best?
Bests
Salvatore
----- Forwarded message from Daniel Kahn Gillmor <dkg at fifthhorseman.net> -----
From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Resent-From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Reply-To: Daniel Kahn Gillmor <dkg at fifthhorseman.net>,
606058 at bugs.debian.org
X-Mailer: reportbug 4.12.6
Date: Sun, 05 Dec 2010 20:42:23 -0500
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user
request for peer verification
Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security
Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.
This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.
It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.
While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.
I'm attaching two (mutually exclusive) patches to resolve this.
The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.
The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.
Of the two patches, i prefer no-default-ca-certs.patch.
The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay
ii netbase 4.43 Basic TCP/IP networking system
ii perl 5.10.1-16 Larry Wall's Practical Extraction
Versions of packages libio-socket-ssl-perl recommends:
ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn
Versions of packages libio-socket-ssl-perl suggests:
pn libio-socket-inet6-perl <none> (no description available)
-- no debconf information
diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
+ carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+ $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+ if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+ return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+ }
} else {
return IO::Socket::SSL->error("Invalid certificate authority locations");
}
diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
my $verify_mode = $arg_hash->{SSL_verify_mode};
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
- ! Net::SSLeay::CTX_load_verify_locations(
+ ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+ ! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
- if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL->error("Invalid certificate authority locations");
- }
+ return IO::Socket::SSL->error("Invalid certificate authority locations");
}
if ($arg_hash->{'SSL_check_crl'}) {
_______________________________________________
pkg-perl-maintainers mailing list
pkg-perl-maintainers at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: default-to-etc-ssl-certs.patch
Type: text/x-diff
Size: 1025 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101206/5df59558/attachment-0002.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-default-ca-certs.patch
Type: text/x-diff
Size: 909 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101206/5df59558/attachment-0003.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101206/5df59558/attachment-0001.pgp>
More information about the pkg-perl-maintainers
mailing list