Bug#640903: Fwd: regression: breaks $ldap->start_tls()

Peter Marschall peter at adpm.de
Thu Sep 8 12:39:13 UTC 2011


Package: libnet-ldap-perl
Version: 1:0.4300-1
Severity: important
Tags: patch

Hi,

libnet-ldap-perl 0.4300-1 has a regression:
It breaks calls to start_tls() completely and issues warnings on every
LDAPS connection.

The culprit is the addition of parameter
	SSL_verifycn_scheme => "ldap"
to the SSL context in _SSL_context_init_args().

I see two alternative solutions to fix the issue:

A) revert this addition
   This is done by the attached patch
B) Fix the issue by useing the commit
   https://github.com/marschap/perl-
ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803
   from my perl-ldap github repo, which I already proposed to put upstream in
   a pull request to G. Barr.

Comparison of the two alternatives:
Solution A) completely restores the situation of pre-0.43 releases,
but leaves a risk for MITM attacks by not checking the host names
in the certificates against the hostname an application connects.

Solution B) mitigates this risk by doing the hostname verification,
but my break applications that rely on the insecure behaviour.
In addition to that: there's no guarantee that solution B) will be
incorporated upstream.

Nevertheless I personally prefer B)  ;-)


Best
Peter

PS: I am not sure if the potential security aspects should increase the 
severity even more.


-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnet-ldap-perl depends on:
ii  libconvert-asn1-perl          0.22-1     Perl module for encoding and 
decod
ii  libwww-perl                   6.02-1     simple and consistent interface 
to
ii  perl [libmime-base64-perl]    5.12.4-4   Larry Wall's Practical Extraction 

libnet-ldap-perl recommends no packages.

Versions of packages libnet-ldap-perl suggests:
ii  libauthen-sasl-perl          2.1500-1    Authen::SASL - SASL 
Authentication
ii  libio-socket-ssl-perl        1.44-1      Perl module implementing object 
or
ii  liburi-perl                  1.59-1      module to manipulate and access 
UR
ii  libxml-parser-perl           2.41-1      Perl module for parsing XML files
ii  libxml-sax-perl              0.96+dfsg-2 Perl module for using and 
building
ii  perl [libdigest-md5-perl]    5.12.4-4    Larry Wall's Practical Extraction 

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deactivate_SSL_verifycn_scheme.patch
Type: text/x-diff
Size: 345 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20110908/2c562a28/attachment.patch>


More information about the pkg-perl-maintainers mailing list