Bug#954041: cpanoutdated: Please verify server identity via SSL

Felix Lechner felix.lechner at lease-up.com
Mon Mar 16 01:18:48 GMT 2020


Package: cpanoutdated
Severity: important

Dear maintainer,

Your package uses the Perl module HTTP::Tiny but does not set the
verify_SSL attribute to a true value.

By default, that module does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]

As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]

I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.

Will you please turn on the verify_SSL attribute in HTTP::Tiny?

Kind regards
Felix Lechner

[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68

* * *

#!/usr/bin/perl

use HTTP::Tiny;

my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
 die "Failed!\n"
    unless $response->{success};

print "$response->{status} $response->{reason}\n";

while (my ($k, $v) = each %{$response->{headers}}) {
    for (ref $v eq 'ARRAY' ? @$v : $v) {
        print "$k: $_\n";
    }
}

print $response->{content}
    if length $response->{content};



More information about the pkg-perl-maintainers mailing list