Bug#507402: LWP::Protocol::https/_check_sock() has insufficient certificate checking

Daniel T Chen crimsun at fungus.sh.nu
Sun Nov 30 21:42:21 UTC 2008


Package: libwww-perl
Version: 5.820-1

Forwarded from Ubuntu #198874 
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):

The reporter states:
"See LWP::Protocol::https class, the _check_sock function:

we don't execute $sock->get_peer_verify before checking the cert's 
subject against $req->header("If-SSL-Cert-Subject").

$sock->get_peer_verify gets called only *after* we have pushed all of 
our request to the server (possibly containing critical data including 
passwords) -- that is BAAAAD. Basically, all of that renders SSL support 
in LWP::UserAgent not only meaningless, but also gives the user 
impression of security, which is not only bad, but almost a malicious 
thing to do.

More experimentation has shown that this only happens when doing "use 
IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows 
the opposite behaviour: unverified server certs are NEVER accepted. I 
don't even know how to set the verification level und neither seems to 
be documented what exactly gets verified.... (server name at least?? How 
about redirects?....)

Please fix this and/or report it upstream because I consider it a major 
issue."





More information about the pkg-perl-maintainers mailing list