Bug #57649 for XML-Stream: Does not verify the remote SSL certificate

Thu May 20 00:21:25 2010 andersk [...] mit.edu - Ticket created

Subject:

Does not verify the remote SSL certificate

XML::Stream creates all SSL connections with SSL_verify_mode=>0x00. This is a security vulnerability, since it does not verify the remote SSL certificate, letting any attacker perform a man-in-the-middle attack on the connection. If SSL is requested, XML::Stream should verify the SSL certificate by default (perhaps with an additional option to disable verification, to be used only for testing purposes).

Tue Jun 15 22:13:26 2010 dapatrick [...] cpan.org - Correspondence added

Anders, Sorry for taking so long to get back to you. Yes, indeed this is a problem and I will fix it immediately. I'll let you know when a fix has been committed to trunk. I plan on publishing a new release before the end of the week. Darian

Tue Jun 15 22:13:27 2010 The RT System itself - Status changed from 'new' to 'open'

Tue Jun 15 22:13:31 2010 dapatrick [...] cpan.org - Taken

Tue Jun 15 22:13:55 2010 dapatrick [...] cpan.org - Severity Important changed to Critical

Wed Sep 15 21:38:10 2010 dapatrick [...] cpan.org - Correspondence added

Hi Anders, I'm preparing the a developer release of XML::Stream. The following commit includes a fix for the issue you've reported: http://github.com/dap/XML-Stream/commit/127866e35e993279d769ed7c05bbdb1a7d85f9be I have a couple of other issues to take care of, then this release will be published to CPAN as XML-Stream-1.23_02. In the meantime, feel free to clone the repo and give it a test. I will be pushing corresponding changes to Net::XMPP shortly. Best, Darian

Wed Sep 15 21:38:11 2010 dapatrick [...] cpan.org - Status changed from 'open' to 'patched'

Mon Sep 20 15:29:39 2010 dapatrick [...] cpan.org - Fixed in 1.23_02 added

Mon Dec 22 16:34:35 2014 dapatrick [...] cpan.org - Status changed from 'patched' to 'resolved'

Bug #57649 for XML-Stream: Does not verify the remote SSL certificate

Preferred bug tracker