Bug#788698: supporting this bug report

Steffen Ullrich sullr at cpan.org
Sun Jun 14 16:41:54 UTC 2015


Hi,

as the maintainer of IO::Socket::SSL I strongly support this bug report.

First, like the author said, this behavior is unexpected and has serious 
security implications.
Apart from that, disabling the verification of the hostname is more or less
the same as disabling any kind of certificate validation. If only the trust
chain is checked but not the hostname an attacker could simply get a valid 
certificate for its own host and then use it to attack different hosts.

In my opinion the feature to disable validation of the hostname should not
only never enabled implicitely but should instead be removed. Of course
there can be cases where the hostname does not match, but in this case the
user can give the expected hostname with the `SSL_verifycn_name` option
or simply use certificate pinning with the `SSL_fingerprint` option, in
which case all other checks are disabled. Contrary to disabling the
hostname validation these kind of options are safe, because the user
explicitly defines what is expected.

Regards,
Steffen



More information about the pkg-perl-maintainers mailing list