Bug#606058: [rt.cpan.org #63637] Re: IO::Socket::SSL ignores user request for peer verification
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Dec 6 07:25:09 UTC 2010
Thanks for forwarding this, Salvatore--
On 12/06/2010 01:55 AM, Salvatore Bonaccorso wrote:
> Of the two patches, i prefer no-default-ca-certs.patch.
>
> The documentation makes references to ca/ and certs/my-ca.pem -- if
> these are actually used by the tool, then no-default-ca-certs.patch is
> definitely the way to go.
Hrm, as i look at it further, i'm not entirely sure that
no-default-ca-certs operates as expected with users who relying on the
defaults of ca/ or certs/my-ca.pem.
I do think that IO::Socket::SSL needs to fail *closed* though, and not
revert to accepting unverified connections in the event that the user
forgets to specify CAs (or fails to correctly populate the default
locations).
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101206/366e62d7/attachment.pgp>
More information about the pkg-perl-maintainers
mailing list