| CC: | Daniel Kahn Gillmor <dkg [...] fifthhorseman.net>, 606058 [...] bugs.debian.org |
| Subject: | IO::Socket::SSL ignores user request for peer verification |
| Date: | Mon, 6 Dec 2010 07:55:46 +0100 |
| To: | bug-IO-Socket-SSL [...] rt.cpan.org |
| From: | Salvatore Bonaccorso <carnil [...] debian.org> |
Hi Daniel, Hi Steffen
Daniel Kahn Gillmor reported to our Bugtracker in Debian the report
below (See: http://bugs.debian.org/606058). Steffen, what do you
think, would be best?
Bests
Salvatore
----- Forwarded message from Daniel Kahn Gillmor <dkg@fifthhorseman.net> -----
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Resent-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Reply-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>,
606058@bugs.debian.org
X-Mailer: reportbug 4.12.6
Date: Sun, 05 Dec 2010 20:42:23 -0500
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user
request for peer verification
Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security
Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.
This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.
It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.
While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.
I'm attaching two (mutually exclusive) patches to resolve this.
The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.
The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.
Of the two patches, i prefer no-default-ca-certs.patch.
The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay
ii netbase 4.43 Basic TCP/IP networking system
ii perl 5.10.1-16 Larry Wall's Practical Extraction
Versions of packages libio-socket-ssl-perl recommends:
ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn
Versions of packages libio-socket-ssl-perl suggests:
pn libio-socket-inet6-perl <none> (no description available)
-- no debconf information
diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
+ carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+ $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+ if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+ return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+ }
} else {
return IO::Socket::SSL->error("Invalid certificate authority locations");
}
diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
my $verify_mode = $arg_hash->{SSL_verify_mode};
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
- ! Net::SSLeay::CTX_load_verify_locations(
+ ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+ ! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
- if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL->error("Invalid certificate authority locations");
- }
+ return IO::Socket::SSL->error("Invalid certificate authority locations");
}
if ($arg_hash->{'SSL_check_crl'}) {
Show quoted text
_______________________________________________
pkg-perl-maintainers mailing list
pkg-perl-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers
----- End forwarded message -----
Message body is not shown because sender requested not to inline it.
Message body is not shown because sender requested not to inline it.
Message body not shown because it is not plain text.