Bug#954111: libsearch-elasticsearch-perl: Please verify server identity via SSL
Felix Lechner
felix.lechner at lease-up.com
Mon Mar 16 22:26:03 GMT 2020
Package: libsearch-elasticsearch-perl
Severity: important
Dear maintainer,
Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value.
By default, HTTP::Tiny does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]
As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]
Similarly, your documentation states "By default, no validation of the
remote host is performed." [3]
I believe that the encryption of a transmission has no value when
talking to the wrong person. You can easily see HTTP::Tiny's useless
and dangerous default by running the script at the end of this
message.
Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Kind regards
Felix Lechner
[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68
[3] https://metacpan.org/pod/Search::Elasticsearch::Cxn::HTTPTiny
* * *
#!/usr/bin/perl
use HTTP::Tiny;
my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/');
die "Failed!\n"
unless $response->{success};
print "$response->{status} $response->{reason}\n";
while (my ($k, $v) = each %{$response->{headers}}) {
for (ref $v eq 'ARRAY' ? @$v : $v) {
print "$k: $_\n";
}
}
print $response->{content}
if length $response->{content};
More information about the pkg-perl-maintainers
mailing list