Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LWP::Protocol::https/_check_sock() has insufficient certificate checking [rt.cpan.org #43733] #40

Open
oalders opened this issue Mar 31, 2017 · 0 comments
Open

LWP::Protocol::https/_check_sock() has insufficient certificate checking [rt.cpan.org #43733] #40

oalders opened this issue Mar 31, 2017 · 0 comments

Comments

@oalders
Copy link
Member

oalders commented Mar 31, 2017

Migrated from rt.cpan.org#43733 (status was 'open')

Requestors:

From antonio@dyne.org on 2009-02-28 12:30:17:

Forwarding from http://bugs.debian.org/507402
---

Forwarded from Ubuntu #198874 
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):

The reporter states:
"See LWP::Protocol::https class, the _check_sock function:

we don't execute $sock->get_peer_verify before checking the cert's 
subject against $req->header("If-SSL-Cert-Subject").

$sock->get_peer_verify gets called only *after* we have pushed all of 
our request to the server (possibly containing critical data including 
passwords) -- that is BAAAAD. Basically, all of that renders SSL support 
in LWP::UserAgent not only meaningless, but also gives the user 
impression of security, which is not only bad, but almost a malicious 
thing to do.

More experimentation has shown that this only happens when doing "use 
IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows 
the opposite behaviour: unverified server certs are NEVER accepted. I 
don't even know how to set the verification level und neither seems to 
be documented what exactly gets verified.... (server name at least?? How 
about redirects?....)

Please fix this and/or report it upstream because I consider it a major 
issue."

From ether@cpan.org on 2017-01-25 21:41:06:

migrated queues: libwww-perl -> LWP-Protocol-https

From 507402@bugs.debian.org on 2017-01-25 22:16:28:

Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>

If you wish to submit further information on this problem, please
send it to 507402@bugs.debian.org.

Please do not send mail to owner@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@oalders