Bug#960730: libanyevent-irc-perl: does not verify TLS server certificates
Benjamin Barenblat
bbaren at debian.org
Fri May 15 22:50:30 BST 2020
Package: libanyevent-irc-perl
Version: 0.97-2
Control: tag -1 + upstream
AnyEvent::IRC supports connecting to IRC servers over TLS. When
connecting, though, it does not verify that server certificates are
valid. An invalid TLS certificate is better than no TLS at all, but
users (and many developers) have come to expect that a successful TLS
connection guarantees confidentiality, authenticity, and integrity even
in the face of active interception. AnyEvent::IRC’s behavior is
inconsistent with that expectation.
Ideally, AnyEvent::IRC would refuse to connect to a server unless that
server presents a valid TLS certificate or the API consumer has
explicitly opted out of certificate verification. If backward
compatibility is a concern, AnyEvent::IRC could could preserve the
existing behavior by default but allow API consumers to opt in to
certificate verification; this is a smaller improvement, but it would be
an improvement nonetheless.
More information about the pkg-perl-maintainers
mailing list