Bug#750642: libio-socket-ssl-perl: set_args_filter_hack('use_defaults') fails to correctly restore SSL_ca_*

Jakub Wilk jwilk at debian.org
Thu Jun 5 10:57:04 UTC 2014 

Package: libio-socket-ssl-perl
Version: 1.992-1

The attached test program is supposed to try to connect to 
www.debian.org while trusting only a random wrong CA:

    my $host = 'www.debian.org';
    my $ca = 'China_Internet_Network_Information_Center_EV_Certificates_Root';
    # definitely NOT the www.debian.org's CA ---^
    my $cafile = "/usr/share/ca-certificates/mozilla/$ca.crt";
    IO::Socket::SSL::set_defaults(
        SSL_verify_mode => SSL_VERIFY_PEER,
        SSL_verifycn_scheme => 'http',
        SSL_ca_file => $cafile,
    );

The program calls set_args_filter_hack('use_defaults'). This call 
shouldn't affect anything interesting in this case, but it actually 
break things:

    $ perl test-filter-hack.pl
    Eeek! Connected to www.debian.org, even though only China_Internet_Network_Information_Center_EV_Certificates_Root was supposed to be trusted.

This is my understanding why it happens:

IO::Socket::SSL has defaults for both SSL_ca_file and SSL_ca_path. These 
defaults are normally only taken into account if user set none of these 
two themselves:

    # if any of SSL_ca* is set don't set the other SSL_ca*
    # from defaults
    if ( $arg_hash->{SSL_ca} ) {
        $arg_hash->{SSL_ca_file} ||= undef
        $arg_hash->{SSL_ca_path} ||= undef
    } elsif ( $arg_hash->{SSL_ca_path} ) {
        $arg_hash->{SSL_ca_file} ||= undef
    } elsif ( $arg_hash->{SSL_ca_file} ) {
        $arg_hash->{SSL_ca_path} ||= undef;
    }

But if you use set_args_filter_hack('use_defaults'), the code I quoted 
above is no-op, because all the SSL_ca* are already initialized with 
%DEFAULT_SSL_CLIENT_ARGS values:

    sub set_args_filter_hack {
        # ...
        } elsif ( $sub eq 'use_defaults' ) {
            # override args with defaults
            $FILTER_SSL_ARGS = sub {
                my ($is_server,$args) = @_;
                %$args = ( %$args, $is_server
                    ? ( %DEFAULT_SSL_SERVER_ARGS, %$GLOBAL_SSL_SERVER_ARGS )
                    : ( %DEFAULT_SSL_CLIENT_ARGS, %$GLOBAL_SSL_CLIENT_ARGS )
                );
            }
        }
    }

A possible work-around is to always set both SSL_ca_file and 
SSL_ca_path, setting the one you don't need explicitly to undef:

  IO::Socket::SSL::set_defaults(
      SSL_verify_mode => SSL_VERIFY_PEER,
      SSL_verifycn_scheme => 'http',
      SSL_ca_file => $cafile,
      SSL_ca_path => undef,
  );


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.14-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl  1.63-1
ii  netbase             5.2
ii  perl                5.18.2-4

Versions of packages libio-socket-ssl-perl recommends:
ii  libio-socket-inet6-perl     2.72-1
ii  libio-socket-ip-perl        0.29-1
ii  libnet-idn-encode-perl      2.100-2
ii  libsocket6-perl             0.25-1
ii  liburi-perl                 1.60-1
ii  perl                        5.18.2-4
ii  perl-base [libsocket-perl]  5.18.2-4

Versions of packages libio-socket-ssl-perl suggests:
ii  ca-certificates  20140325

-- 
Jakub Wilk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test-filter-hack.pl
Type: text/x-perl
Size: 806 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20140605/dd36e774/attachment.pl>

More information about the pkg-perl-maintainers mailing list