Bug #83095 for Event-RPC: IO::Socket::SSL complains about SSL_verify

Fri Feb 01 15:25:34 2013 https://moritz-bunkus.myopenid.com/ - Ticket created

Subject:

IO::Socket::SSL complains about SSL_verify_mode

Current versions of IO::Socket::SSL complain loudly with the following message if Event::RPC::Client is called with ssl set to 1: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at /usr/share/perl5/site_perl/Event/RPC/Client.pm line 105. I checked Event::RPC::Client::connect and there's indeed no way to set any of IO::Socket::SSL's options relevant for certificate verification and handling. The caller of Event::RPC::Client should really be able to set those to whatever is appropriate for the application, so please don't just "fix" it by passing SSL_verify_mode=>SSL_VERIFY_NONE.

Sat Feb 02 06:29:03 2013 JRED [...] cpan.org - Status changed from 'new' to 'open'

Sat Feb 02 06:30:47 2013 JRED [...] cpan.org - Correspondence added

Thanks for the report. Security issues are always important! I added two options to Event::RPC::Client to handle SSL peer verfication: ssl_ca_file & ssl_ca_path. New version has just been uploaded to CPAN. You can fetch it from here as well: http://www.exit1.org/packages/Event-RPC/dist/Event-RPC-1.03.tar.gz

Sat Feb 02 06:30:48 2013 JRED [...] cpan.org - Status changed from 'open' to 'resolved'

Bug #83095 for Event-RPC: IO::Socket::SSL complains about SSL_verify_mode