Bug#908027: XML::Stream defaults to verifying certificates but fails to provide a working default ssl_ca_path
Florian Schlichting
fsfs at debian.org
Wed Sep 5 10:28:29 BST 2018
Control: forwarded 908027 https://github.com/dap/XML-Stream/issues/19
Hi gregoa, pkg-perl people,
I was just bitten by this issue, independent from sendxmpp, and I'd like
to revisit it for libxml-stream-perl in Buster and Stretch.
* Chris Hofstaedtler <zeha at debian.org> writes:
> OTOH, XML::Stream then defaults to verifying certificates, if TLS is
> on, but does not provide a default where to find any certificates.
IMHO this is broken by default, and we should provide a default path
to commonly accepted certificates in Debian, i.e. /etc/ssl/certs (or
switch the default for ssl_verify to skip verification, but I think
that's not the Right Thing To Do.)
>From the XML::Stream POD:
| "ssl_verify" determines whether peer certificate verification takes place.
| See the documentation for the SSL_verify_mode parameter to
| IO::Socket::SSL-new()|IO::Socket::SSL>. The default value is 0x01 causing
| the server certificate to be verified, and requiring that ssl_ca_path be
| set.
| "ssl_ca_path" should be set to the path to either a directory containing
| hashed CA certificates, or a single file containing acceptable CA
| certifictes concatenated together. This parameter is required if
| ssl_verify is set to anything other than 0x00 (no verification)
I've opened an issue on github because I think this set of defaults in
XML::Stream don't make sense for anyone, but I would like to fix this in Debian
anyway and preferably also in Stretch.
gregoa, would you agree that this is indeed something that should be
fixed in XML::Stream? You were handling the original bug against
libnet-xmpp-perl / sendxmpp and sounded rather cautious to fix this in
the library layers...
Florian
More information about the pkg-perl-maintainers
mailing list