Bug#606243: IO::Socket::SSL fails when verify_callback is supplied without ca_path or ca_file

Salvatore Bonaccorso carnil at debian.org
Wed Dec 8 15:05:57 UTC 2010 

Hi!

Daniel Kahn Gillmor reported the message below to the Debian
bugtracker [1]. If one explicitly supply a verify_callback but do not
pass ca_file and ca_path locations or the default are not populated,
then IO::Socket::SSL will trow error 'Invalid certificate authority
locations'.

Would it make sense, to allow, if a user is suppliying an own
verify_callback to IO::Socket::SSL then to not fail?

 [1] http://bugs.debian.org/606243

Thanks for your comments.

Bests
Salvatore

----- Forwarded message from Daniel Kahn Gillmor <dkg at fifthhorseman.net> -----

From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Resent-From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Reply-To: Daniel Kahn Gillmor <dkg at fifthhorseman.net>,
	606243 at bugs.debian.org
X-Mailer: reportbug 4.12.6
Date: Tue, 07 Dec 2010 13:41:21 -0500
To: Debian Bug Tracking System <submit at bugs.debian.org>
Subject: Bug#606243: libio-socket-ssl-perl: IO::Socket::SSL fails when
	verify_callback is supplied without ca_path or ca_file

Package: libio-socket-ssl-perl
Version: 1.35-1
Severity: normal
Tags: patch

if i supply a verify_callback to IO::Socket::SSL, but fail to supply
ca_file or ca_path (and the default ca_file and ca_path locations are
not populated), initialization fails.

This is silly because i'm using my own verify_callback, and so i
don't need to give OpenSSL a ca_file or ca_path.

The attached patch fixes it for me.

    --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl            1.36-1     Perl module for Secure Sockets Lay
ii  netbase                       4.43       Basic TCP/IP networking system
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages libio-socket-ssl-perl recommends:
ii  libnet-libidn-perl          0.12.ds-1+b1 Perl bindings for GNU Libidn

Versions of packages libio-socket-ssl-perl suggests:
pn  libio-socket-inet6-perl       <none>     (no description available)

-- no debconf information

diff --git a/SSL.pm b/SSL.pm
index ee2d85e..0cd640b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1366,7 +1366,8 @@ sub new {
 	if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
 		! Net::SSLeay::CTX_load_verify_locations(
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
-		return IO::Socket::SSL->error("Invalid certificate authority locations");
+		return IO::Socket::SSL->error("Invalid certificate authority locations")
+                  if (! defined $arg_hash->{SSL_verify_callback});
 	}
 
 	if ($arg_hash->{'SSL_check_crl'}) {

_______________________________________________
pkg-perl-maintainers mailing list
pkg-perl-maintainers at lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers

----- End forwarded message -----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: allow-verify-callback-without-ca-file.patch
Type: text/x-diff
Size: 558 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101208/ca197fe0/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101208/ca197fe0/attachment.pgp>

More information about the pkg-perl-maintainers mailing list