Bug#954041: cpanoutdated: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 01:18:48 GMT 2020
Package: cpanoutdated
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny but does not set the
verify_SSL attribute to a true value.
By default, that module does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see the
useless and dangerous default by running the script at the end of this
message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
* * *
#!/usr/bin/perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
More information about the pkg-perl-maintainers
mailing list