Bug#606243: IO::Socket::SSL fails when verify_callback is supplied without ca_path or ca_file
Salvatore Bonaccorso
carnil at debian.org
Wed Dec 8 21:24:05 UTC 2010
Hi Daniel
See upstreams answer on this.
Bests
Salvatore
----- Forwarded message from Steffen Ullrich via RT <bug-IO-Socket-SSL at rt.cpan.org> -----
From: Steffen Ullrich via RT <bug-IO-Socket-SSL at rt.cpan.org>
Reply-To: bug-IO-Socket-SSL at rt.cpan.org
Date: Wed, 8 Dec 2010 14:38:34 -0500
To: carnil at debian.org
Cc: behroozi at www.pls.uni.edu
Subject: [rt.cpan.org #63741] IO::Socket::SSL fails when verify_callback is
supplied without ca_path or ca_file
<URL: https://rt.cpan.org/Ticket/Display.html?id=63741 >
it's not that simple:
- usually SSL_verify_callback is used together with a valid CA file or
CA path, because one wants to let openssl pre-check the certificate
and only add additional checks (see SSL_set_verify openssl docs),
- if SSL_verifycn_scheme is set there will be an implicite
SSL_verify_callback which checks the name in the certificate
Because the case, that somebody wants to check the certificate completly
by itself w/o having openssl check the certificate chain, is IMHO
uncommon, I don't change the code for now.
I think it is safer than risk to not doing certificate checks.
----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101208/f053376c/attachment.pgp>
More information about the pkg-perl-maintainers
mailing list