Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 106711
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Nobody in particular
Requestors: dr1027 [...] evocat.net
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Fri Aug 28 12:16:31 2015 dr1027 [...] evocat.net - Ticket created
Subject: Multiple directories in SSL_ca_path
Date: Fri, 28 Aug 2015 17:16:18 +0100
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: dr1027 [...] evocat.net
OpenSSL's SSL_CTX_load_verify_locations() accepts a list of directories to search for certificates, eg (under unix) "/home/foo/certs:/etc/ssl/certs". Hence Net::SSLeay::CTX_load_verify_locations does as well. Could IO::Socket::SSL therefore also accept such a list, eg my $client = IO::Socket::SSL->new( ... SSL_ca_path => '/home/foo/certs:/etc/ssl/certs', ... ); Possibly the only changes needed to IO::Socket::SSL are on the checks as to whether SSL_ca_path exists and is accessible. The checks would have to be applied to each directory in SSL_ca_path instead of assuming it is a single directory. (I appreciate the documentation for CTX_load_verify_locations suggests only a single directory can be given. However, crypto/x509/by_dir.c:add_cert_dir in the openssl source splits up the CA path according to LIST_SEPARATOR_CHAR defined in e_os.h as ':',';' or ',' according to OS. This seems to have been the case since openssl v0.9.1c or earlier.) Thanks, David
  Wed Sep 16 11:12:54 2015 dr1027 [...] evocat.net - Correspondence added
Subject: Re: [rt.cpan.org #106711] AutoReply: Multiple directories in SSL_ca_path
Date: Wed, 16 Sep 2015 16:12:34 +0100
To: Bugs in IO-Socket-SSL via RT <bug-IO-Socket-SSL [...] rt.cpan.org>
From: David Rourke <dr1027 [...] evocat.net>
A workaround is to specify the path via the default_ca() method and not in new(): IO::Socket::SSL::default_ca(SSL_ca_path=>'/home/foo/certs:/etc/ssl/certs'); my $client = IO::Socket::SSL->new( ... ); David
  Sun Sep 20 06:35:35 2015 Steffen_Ullrich [...] genua.de - Correspondence added
Thanks for your input. With 2.020 one can now have multiple path inside SSL_ca_path. From the documentation: "SSL_ca_path" can also be an array or a string containing multiple path, where the path are separated by the platform specific separator. This separator is ";" on DOS, Windows, Netware, "," on VMS and ":" for all the other systems. If multiple path are given at least one of these must be accessible.
  Sun Sep 20 06:35:36 2015 The RT System itself - Status changed from 'new' to 'open'
  Sun Sep 20 06:35:46 2015 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'