Bug#640903: Fwd: regression: breaks $ldap->start_tls()
Peter Marschall
peter at adpm.de
Thu Sep 8 12:39:13 UTC 2011
Package: libnet-ldap-perl
Version: 1:0.4300-1
Severity: important
Tags: patch
Hi,
libnet-ldap-perl 0.4300-1 has a regression:
It breaks calls to start_tls() completely and issues warnings on every
LDAPS connection.
The culprit is the addition of parameter
SSL_verifycn_scheme => "ldap"
to the SSL context in _SSL_context_init_args().
I see two alternative solutions to fix the issue:
A) revert this addition
This is done by the attached patch
B) Fix the issue by useing the commit
https://github.com/marschap/perl-
ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
from my perl-ldap github repo, which I already proposed to put upstream in
a pull request to G. Barr.
Comparison of the two alternatives:
Solution A) completely restores the situation of pre-0.43 releases,
but leaves a risk for MITM attacks by not checking the host names
in the certificates against the hostname an application connects.
Solution B) mitigates this risk by doing the hostname verification,
but my break applications that rely on the insecure behaviour.
In addition to that: there's no guarantee that solution B) will be
incorporated upstream.
Nevertheless I personally prefer B) ;-)
Best
Peter
PS: I am not sure if the potential security aspects should increase the
severity even more.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: i386 (i686)
Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libnet-ldap-perl depends on:
ii libconvert-asn1-perl 0.22-1 Perl module for encoding and
decod
ii libwww-perl 6.02-1 simple and consistent interface
to
ii perl [libmime-base64-perl] 5.12.4-4 Larry Wall's Practical Extraction
libnet-ldap-perl recommends no packages.
Versions of packages libnet-ldap-perl suggests:
ii libauthen-sasl-perl 2.1500-1 Authen::SASL - SASL
Authentication
ii libio-socket-ssl-perl 1.44-1 Perl module implementing object
or
ii liburi-perl 1.59-1 module to manipulate and access
UR
ii libxml-parser-perl 2.41-1 Perl module for parsing XML files
ii libxml-sax-perl 0.96+dfsg-2 Perl module for using and
building
ii perl [libdigest-md5-perl] 5.12.4-4 Larry Wall's Practical Extraction
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deactivate_SSL_verifycn_scheme.patch
Type: text/x-diff
Size: 345 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110908/2c562a28/attachment.patch>
More information about the pkg-perl-maintainers
mailing list