Bug#606243: [rt.cpan.org #63741] Re: Bug#606243: IO::Socket::SSL fails when verify_callback is supplied without ca_path or ca_file
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Dec 8 22:07:17 UTC 2010
On 12/08/2010 04:24 PM, Salvatore Bonaccorso wrote:
> ----- Forwarded message from Steffen Ullrich via RT <bug-IO-Socket-SSL at rt.cpan.org> -----
> it's not that simple:
> - usually SSL_verify_callback is used together with a valid CA file or
> CA path, because one wants to let openssl pre-check the certificate
> and only add additional checks (see SSL_set_verify openssl docs),
> - if SSL_verifycn_scheme is set there will be an implicite
> SSL_verify_callback which checks the name in the certificate
>
> Because the case, that somebody wants to check the certificate completly
> by itself w/o having openssl check the certificate chain, is IMHO
> uncommon, I don't change the code for now.
Hrm. i'm doing it with a tool i hope to release later this week,
actually [0], so while it might be uncommon, it does happen.
What do you suggest i do to make this work? maybe i should do something
like:
ca_path => '/'
?
That seems pretty weird to me. Can you recommend a better way that i
can fully disable these checks, or is this the best way?
> I think it is safer than risk to not doing certificate checks.
What do you think is the risk here? If no trusted root authorities are
supplied (by either ca_path or ca_file), but a verify callback is
present, that verify callback will simply never see a preverify_ok
argument set to 1, right? why is that dangerous?
--dkg
[0] https://labs.riseup.net/code/issues/2016
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101208/d36d5231/attachment-0001.pgp>
More information about the pkg-perl-maintainers
mailing list