Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification

Daniel Kahn Gillmor dkg at fifthhorseman.net
Mon Dec 6 01:42:23 UTC 2010 

Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security

Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.

This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.

It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.

While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.

I'm attaching two (mutually exclusive) patches to resolve this.

The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.

The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.

Of the two patches, i prefer no-default-ca-certs.patch.

The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.

           --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl            1.36-1     Perl module for Secure Sockets Lay
ii  netbase                       4.43       Basic TCP/IP networking system
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages libio-socket-ssl-perl recommends:
ii  libnet-libidn-perl          0.12.ds-1+b1 Perl bindings for GNU Libidn

Versions of packages libio-socket-ssl-perl suggests:
pn  libio-socket-inet6-perl       <none>     (no description available)

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: default-to-etc-ssl-certs.patch
Type: text/x-diff
Size: 1025 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101205/5010363c/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: no-default-ca-certs.patch
Type: text/x-diff
Size: 909 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101205/5010363c/attachment-0001.patch>

More information about the pkg-perl-maintainers mailing list