Bug#788698: liblwp-protocol-https-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables verfication that hostname matches CN/subjectAltName
Jakub Wilk
jwilk at debian.org
Sun Jun 14 11:08:50 UTC 2015
Package: liblwp-protocol-https-perl
Version: 6.06-2
Tags: security
This is follow up to bug #746579. When you set HTTPS_CA_DIR or
HTTPS_CA_FILE in the environment, and use IO::Socket::SSL as the TLS
backend (which is the default), LWP does not verify that the hostname
matches the certificate's CN or subjectAltName:
$ HEAD https://5.153.231.4/ | head -n1
500 Can't connect to 5.153.231.4:443
$ HTTPS_CA_DIR=/etc/ssl/certs/ HEAD https://5.153.231.4/ | head -n1
200 OK
As I explained in the other bug, this is done for compatiblity with
Crypt::SSLeay, but:
* There's nothing in the names of HTTPS_CA_* that would suggests that
these variables are specific to Crypt::SSLeay, or LWP, or even Perl.
So people might have them set in their environment for purposes
unrelated to Crypt::SSLeay.
* I suspect that these days many users of LWP don't even know what
Crypt::SSLeay is.
* There is nothing in the LWP documentation that suggests that setting
HTTPS_CA_* might have negative security effect.
-- System Information:
Debian Release: stretch/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages liblwp-protocol-https-perl depends on:
ii ca-certificates 20150426
ii libio-socket-ssl-perl 2.016-1
ii libnet-http-perl 6.07-1
ii libwww-perl 6.08-1
ii perl 5.20.2-6
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list