| Subject: | Question about warning in configure_SSL() |
Hello,
I use this module in my Net-FTPSSL CPAN module & I've been getting questions about a message that pops up when I attempt to open a data channel using the same context as the command channel. [Bug Id 84376]. This happens when I call start_SSL($socket, \%opts), which then calls configure_SSL ($opts).
Where: %opts = ( SSL_reuse_ctx => ${*$obj}{_SSL_ctx} );
This code has been working great until the recent addition of this warning in configure_SSL() starting in version 1.79. And part of the context in this case is SSL_verify_mode == 1. (SSL_VERIFY_PEER)
My goal here is to eliminate this warning from my code since I'm worried that a future change to your module will otherwise break my code. But I'm concerned there may be a bug in your logic that throws this warning by mistake & may cause issues when you finally implement the changes this warning addresses.
Your documentation from v1.85 says that SSL_reuse_ctx causes all options from SSL_version to SSL_check_crl to be inherited from the parent SSL context. [18 options in all.] Of which SSL_verify_mode is one of them. So shouldn't the test also include the presence of SSL_reuse_ctx as well? You wouldn't have to expand on the test since you could rely on the creation of the original SSL socket to fail instead if it didn't set SSL_verify_mode like your warning states.
Existing Test:
if ( ! $is_server
and ! exists $arg_hash->{SSL_verify_mode}
and $default_args{SSL_verify_mode} == SSL_VERIFY_NONE ) {
Proposed Test:
if ( ! $is_server
and ! exists $arg_hash->{SSL_reuse_ctx}
and ! exists $arg_hash->{SSL_verify_mode}
and $default_args{SSL_verify_mode} == SSL_VERIFY_NONE ) {
If this isn't enough, feel free to figure out how to check if SSL_verify_mode is set in the specified context yourself. I'd be interested in seeing how that's done myself.
Curtis