Skip Menu |

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the HTTP-Tiny CPAN distribution.

Report information
The Basics
Id: 66907
Status: resolved
Priority: 0/
Queue: HTTP-Tiny
People
Owner: Nobody in particular
Requestors: ABH [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 0.011
Fixed in: (no value)

History Show all quoted text
  Sat Mar 26 02:37:31 2011 ABH [...] cpan.org - Ticket created
Subject: No certificate validation
Skimming the code it appears that HTTP::Lite will accept any SSL certificate as long as the common name matches. It should also - by default - validate against some reasonable root certificate list. Either system provided or for example the Mozilla ones (distributed on CPAN as Mozilla::CA ).
  Thu Mar 31 15:45:29 2011 dagolden [...] cpan.org - Correspondence added
This is a "Tiny" module and there is no plan to support that feature. I have added a note in the Limitations documentation section about the lack of CA support.
  Thu Mar 31 15:45:30 2011 The RT System itself - Status changed from 'new' to 'open'
  Thu Mar 31 15:45:30 2011 dagolden [...] cpan.org - Status changed from 'open' to 'resolved'
  Thu Mar 31 17:02:08 2011 ask [...] perl.org - Correspondence added
Subject: Re: [rt.cpan.org #66907] No certificate validation
Date: Thu, 31 Mar 2011 22:45:20 +0200
To: bug-HTTP-Tiny [...] rt.cpan.org
From: Ask Bjørn Hansen <ask [...] perl.org>
On Mar 31, 2011, at 21:45, David Golden via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=66907 > > > This is a "Tiny" module and there is no plan to support that feature. I > have added a note in the Limitations documentation section about the > lack of CA support.
The support is already built into the ::SSL stuff. You just need the appropriate parameter (or at least support passing it). Many will say that SSL support is pretty pointless without it. (LWP almost had a CVE issued for not doing this right; fixed in 6.0).
  Thu Mar 31 17:02:09 2011 The RT System itself - Status changed from 'resolved' to 'open'
  Thu Mar 31 17:54:13 2011 dagolden [...] cpan.org - Correspondence added
Subject: Re: [rt.cpan.org #66907] No certificate validation
Date: Thu, 31 Mar 2011 17:51:42 -0400
To: bug-HTTP-Tiny [...] rt.cpan.org
From: David Golden <dagolden [...] cpan.org>
On Thu, Mar 31, 2011 at 5:02 PM, ask@perl.org via RT <bug-HTTP-Tiny@rt.cpan.org> wrote: Show quoted text
>       Queue: HTTP-Tiny >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=66907 > > > > On Mar 31, 2011, at 21:45, David Golden via RT wrote: >
>> <URL: https://rt.cpan.org/Ticket/Display.html?id=66907 > >> >> This is a "Tiny" module and there is no plan to support that feature.  I >> have added a note in the Limitations documentation section about the >> lack of CA support.
> > The support is already built into the ::SSL stuff.  You just need the appropriate parameter (or at least support passing it).  Many will say that SSL support is pretty pointless without it.  (LWP almost had a CVE issued for not doing this right; fixed in 6.0).
As I understand it, LWP's issue was not checking the name match, the CA stuff wasn't the crux of the CVE. FWIW, the debian-perl folks are considering patching LWP to use debian's existing CA tools instead of adding a new dependency on Mozilla::CA. Ultimately, choice of CA's should be up to the user. I'm not convinced that Mozilla::CA is the right approach. When the CA controversy shakes out, I might reconsider adding it to HTTP::Tiny. My default reaction to feature requests for any Tiny module is "no". If CA authentication is important, people should use LWP, not HTTP::Tiny. -- David
  Sun Jul 17 22:11:54 2011 dagolden [...] cpan.org - Correspondence added
I've done additional research and concluded that there are too many variations in how someone might choose to define a level of trust to just default to Mozilla::CA. (E.g. cert revocation lists are not included, I believe.) Likewise, OpenSSL docs get into issues about certificate chain length and other minutia. All of these factors have convinced me that anything more than naive server certificate verification (i.e. "do we have a secure connection") is inappropriate for HTTP::Tiny. There are other modules on CPAN for those who need to ensure particular validation semantics. I'm going to close this ticket.
  Sun Jul 17 22:11:55 2011 dagolden [...] cpan.org - Status changed from 'open' to 'resolved'