Subject: | Default CA list should rely on IO::Socket::SSL instead of Mozilla::CA |
Date: | Wed, 13 Mar 2019 22:50:56 +0100 |
To: | bug-LWP-Protocol-https [...] rt.cpan.org |
From: | Jérémie Detrey <Jeremie.Detrey [...] loria.fr> |
Hi,
When no SSL_ca_file nor SSL_ca_path is set, LWP::Protocol::https uses
the CA list provided by Mozilla::CA.
IO::Socket::SSL embeds a mechanism for looking for system-dependent
certificate stores (with a fallback to Mozilla::CA if no such store
is available), but this mechanism is bypassed altogether since
LWP::Protocol::https forces the value of SSL_ca_file to
Mozilla::CA::SSL_ca_file().
Changing this behavior in order to rely on the default mechanism
offered by IO::Socket::SSL might improve security, as system-wide
certificate stores will usually be more up-to-date than the
Mozilla::CA Perl package.
Cheers,
Jérémie.