Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
Salvatore Bonaccorso
carnil at debian.org
Mon May 5 05:52:00 UTC 2014
Hi Jakub,
On Sun, May 04, 2014 at 10:50:24AM +0200, Jakub Wilk wrote:
> * Jakub Wilk <jwilk at debian.org>, 2014-05-02, 15:44:
> >So the intention was to disable only hostname verification, for
> >compatibility with Crypt::SSLeay (why?!), but the effect is that
> >the SSL_verify_mode is set to 0.
>
> To elaborate a bit on my "why?!":
>
> * There's nothing in the names of HTTPS_CA_* that would suggests
> that these variables are specific to Crypt::SSLeay, or LWP, or even
> Perl. So people might have them set in their environment for
> purposes unrelated to Crypt::SSLeay.
>
> * I suspect that these days many users of LWP don't even know what
> Crypt::SSLeay is.
>
> * There is nothing in the LWP documentation that suggests that
> setting HTTPS_CA_* might have negative security effect.
>
> If for some reason (I can't see such reason, but maybe I'm missing
> something) disabling hostname verification is desirable when
> HTTPS_CA_* is set, then it should be prominently documented.
>
>
> Regarding the proposed patch, I have doubts whether it is correct.
> My understanding of the documentation[0] is that, contrary to what
> the name of the option suggests, verify_hostname is supposed to
> enable/disable both certificate verification and that the
> certificate matches hostname. But after this patch applied, it will
> affect only the latter.
>
>
> [0] “When TRUE LWP will for secure protocol schemes ensure it
> connects to servers that have a valid certificate matching the
> expected hostname. If FALSE no checks are made and you can’t be sure
> that you communicate with the expected peer.”
Thanks for elaborating this and taking time.
I have not yet uploaded a package with the commit applied. There is
some discussion going on the issue tracker at [1], which clarification
from upstream of IO::Socket::SSL at [2].
[1] https://github.com/libwww-perl/lwp-protocol-https/pull/14
[2] https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42160001
Regards,
Salvatore
More information about the pkg-perl-maintainers
mailing list