Skip Menu |

This queue is for tickets about the LWP-Protocol-https CPAN distribution.

Report information
The Basics
Id: 128831
Status: new
Priority: 0/
Queue: LWP-Protocol-https

People
Owner: Nobody in particular
Requestors: Jeremie.Detrey [...] loria.fr
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Default CA list should rely on IO::Socket::SSL instead of Mozilla::CA
Date: Wed, 13 Mar 2019 22:50:56 +0100
To: bug-LWP-Protocol-https [...] rt.cpan.org
From: Jérémie Detrey <Jeremie.Detrey [...] loria.fr>
Hi, When no SSL_ca_file nor SSL_ca_path is set, LWP::Protocol::https uses the CA list provided by Mozilla::CA. IO::Socket::SSL embeds a mechanism for looking for system-dependent certificate stores (with a fallback to Mozilla::CA if no such store is available), but this mechanism is bypassed altogether since LWP::Protocol::https forces the value of SSL_ca_file to Mozilla::CA::SSL_ca_file(). Changing this behavior in order to rely on the default mechanism offered by IO::Socket::SSL might improve security, as system-wide certificate stores will usually be more up-to-date than the Mozilla::CA Perl package. Cheers, Jérémie.