Skip Menu |

This queue is for tickets about the LWP-Protocol-https CPAN distribution.

Report information
The Basics
Id: 43733
Status: resolved
Priority: 0/
Queue: LWP-Protocol-https
People
Owner: Nobody in particular
Requestors: antonio [...] dyne.org
Cc: 507402 [...] bugs.debian.org
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Sat Feb 28 07:30:17 2009 antonio [...] dyne.org - Ticket created
CC: 507402 [...] bugs.debian.org
Subject: LWP::Protocol::https/_check_sock() has insufficient certificate checking
Forwarding from http://bugs.debian.org/507402 --- Forwarded from Ubuntu #198874 (https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874): The reporter states: "See LWP::Protocol::https class, the _check_sock function: we don't execute $sock->get_peer_verify before checking the cert's subject against $req->header("If-SSL-Cert-Subject"). $sock->get_peer_verify gets called only *after* we have pushed all of our request to the server (possibly containing critical data including passwords) -- that is BAAAAD. Basically, all of that renders SSL support in LWP::UserAgent not only meaningless, but also gives the user impression of security, which is not only bad, but almost a malicious thing to do. More experimentation has shown that this only happens when doing "use IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows the opposite behaviour: unverified server certs are NEVER accepted. I don't even know how to set the verification level und neither seems to be documented what exactly gets verified.... (server name at least?? How about redirects?....) Please fix this and/or report it upstream because I consider it a major issue."
  Wed Jan 25 16:41:06 2017 ether [...] cpan.org - Correspondence added
migrated queues: libwww-perl -> LWP-Protocol-https
  Wed Jan 25 16:41:07 2017 The RT System itself - Status changed from 'new' to 'open'
  Wed Jan 25 16:41:07 2017 ether [...] cpan.org - Queue changed from libwww-perl to LWP-Protocol-https
  Wed Jan 25 17:16:28 2017 507402 [...] bugs.debian.org - Correspondence added
Subject: Bug#507402: Info received ([rt.cpan.org #43733] LWP::Protocol::https/_check_sock() has insufficient certificate checking)
Date: Wed, 25 Jan 2017 21:51:03 +0000
To: bug-libwww-perl [...] rt.cpan.org
From: owner [...] bugs.debian.org (Debian Bug Tracking System)
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> If you wish to submit further information on this problem, please send it to 507402@bugs.debian.org. Please do not send mail to owner@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
  Fri Mar 31 15:31:25 2017 olaf [...] wundersolutions.com - Correspondence added
Ticket migrated to github as https://github.com/libwww-perl/LWP-Protocol-https/issues/40
  Fri Mar 31 15:31:26 2017 olaf [...] wundersolutions.com - Status changed from 'open' to 'resolved'
  Fri Mar 31 15:42:14 2017 507402 [...] bugs.debian.org - Correspondence added
Subject: Bug#507402: Info received ([rt.cpan.org #43733] LWP::Protocol::https/_check_sock() has insufficient certificate checking)
Date: Fri, 31 Mar 2017 19:42:06 +0000
To: bug-LWP-Protocol-https [...] rt.cpan.org
From: owner [...] bugs.debian.org (Debian Bug Tracking System)
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> If you wish to submit further information on this problem, please send it to 507402@bugs.debian.org. Please do not send mail to owner@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402 Debian Bug Tracking System Contact owner@bugs.debian.org with problems