Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
Jakub Wilk
jwilk at debian.org
Sun May 4 08:50:24 UTC 2014
* Jakub Wilk <jwilk at debian.org>, 2014-05-02, 15:44:
>So the intention was to disable only hostname verification, for
>compatibility with Crypt::SSLeay (why?!), but the effect is that the
>SSL_verify_mode is set to 0.
To elaborate a bit on my "why?!":
* There's nothing in the names of HTTPS_CA_* that would suggests that
these variables are specific to Crypt::SSLeay, or LWP, or even Perl. So
people might have them set in their environment for purposes unrelated
to Crypt::SSLeay.
* I suspect that these days many users of LWP don't even know what
Crypt::SSLeay is.
* There is nothing in the LWP documentation that suggests that setting
HTTPS_CA_* might have negative security effect.
If for some reason (I can't see such reason, but maybe I'm missing
something) disabling hostname verification is desirable when HTTPS_CA_*
is set, then it should be prominently documented.
Regarding the proposed patch, I have doubts whether it is correct.
My understanding of the documentation[0] is that, contrary to what the
name of the option suggests, verify_hostname is supposed to
enable/disable both certificate verification and that the certificate
matches hostname. But after this patch applied, it will affect only the
latter.
[0] “When TRUE LWP will for secure protocol schemes ensure it connects
to servers that have a valid certificate matching the expected hostname.
If FALSE no checks are made and you can’t be sure that you communicate
with the expected peer.”
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list