Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
Jakub Wilk
jwilk at debian.org
Thu May 1 15:24:25 UTC 2014
Package: libwww-perl
Version: 6.06-1
Tags: security
Usertags: serious
If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
server cerificate verification:
$ export PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL
$ GET https://www.berlios.de/
Can't connect to www.berlios.de:443
$ HTTPS_CA_DIR=/etc/ssl/certs/ GET https://www.berlios.de/ | grep '<!DOCTYPE'
<!DOCTYPE html>
This is counter-intuitive, and also the opposite of Net::SSL behavior,
which does certificate verification only if you set one of these
variables.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwww-perl depends on:
ii ca-certificates 20140325
ii libencode-locale-perl 1.03-1
ii libfile-listing-perl 6.04-1
ii libhtml-parser-perl 3.71-1+b1
ii libhtml-tagset-perl 3.20-2
ii libhtml-tree-perl 5.03-1
ii libhttp-cookies-perl 6.00-2
ii libhttp-date-perl 6.02-1
ii libhttp-message-perl 6.06-1
ii libhttp-negotiate-perl 6.00-2
ii liblwp-mediatypes-perl 6.02-1
ii liblwp-protocol-https-perl 6.04-2
ii libnet-http-perl 6.06-1
ii liburi-perl 1.60-1
ii libwww-robotrules-perl 6.01-1
ii netbase 5.2
ii perl 5.18.2-2+b1
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list