Your message dated Mon, 06 Dec 2010 10:02:20 +0000
with message-id <[email protected]>
and subject line Bug#606058: fixed in libio-socket-ssl-perl 1.35-1
has caused the Debian Bug report #606058,
regarding libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer
verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
606058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security
Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.
This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.
It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.
While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.
I'm attaching two (mutually exclusive) patches to resolve this.
The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.
The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.
Of the two patches, i prefer no-default-ca-certs.patch.
The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay
ii netbase 4.43 Basic TCP/IP networking system
ii perl 5.10.1-16 Larry Wall's Practical Extraction
Versions of packages libio-socket-ssl-perl recommends:
ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn
Versions of packages libio-socket-ssl-perl suggests:
pn libio-socket-inet6-perl <none> (no description available)
-- no debconf information
diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
+ carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+ $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+ if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+ return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+ }
} else {
return IO::Socket::SSL->error("Invalid certificate authority locations");
}
diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
my $verify_mode = $arg_hash->{SSL_verify_mode};
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
- ! Net::SSLeay::CTX_load_verify_locations(
+ ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+ ! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
- if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL->error("Invalid certificate authority locations");
- }
+ return IO::Socket::SSL->error("Invalid certificate authority locations");
}
if ($arg_hash->{'SSL_check_crl'}) {
--- End Message ---
--- Begin Message ---
Source: libio-socket-ssl-perl
Source-Version: 1.35-1
We believe that the bug you reported is fixed in the latest version of
libio-socket-ssl-perl, which is due to be installed in the Debian FTP archive:
libio-socket-ssl-perl_1.35-1.debian.tar.gz
to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1.debian.tar.gz
libio-socket-ssl-perl_1.35-1.dsc
to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1.dsc
libio-socket-ssl-perl_1.35-1_all.deb
to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35-1_all.deb
libio-socket-ssl-perl_1.35.orig.tar.gz
to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.35.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libio-socket-ssl-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 06 Dec 2010 10:48:05 +0100
Source: libio-socket-ssl-perl
Binary: libio-socket-ssl-perl
Architecture: source all
Version: 1.35-1
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libio-socket-ssl-perl - Perl module implementing object oriented interface to
SSL sockets
Closes: 606058
Changes:
libio-socket-ssl-perl (1.35-1) unstable; urgency=low
.
* New upstream release (Closes: #606058).
* Refresh debian/copyright: Update copyright information for debian/*
packaging stanza.
Checksums-Sha1:
ea56a4d2252b68dbcc6a4d024d7bc1d2fec15234 2285 libio-socket-ssl-perl_1.35-1.dsc
26b6610844aac2835b02373216ffdd95015ac991 67587
libio-socket-ssl-perl_1.35.orig.tar.gz
6b39698b6378a3972e8c359fa414af9360915b5a 4574
libio-socket-ssl-perl_1.35-1.debian.tar.gz
10b6a720f5dfceb2854a0b4cf7d198af07bb4985 58716
libio-socket-ssl-perl_1.35-1_all.deb
Checksums-Sha256:
e6e45985f26eb27b9fc172d13932c3be8ea7f5735c6d0416f524eafd200d80d4 2285
libio-socket-ssl-perl_1.35-1.dsc
94e9051329fd7da98f290af0b21fd49b2d081ffd4c78c8a4cdfb96445717ea8c 67587
libio-socket-ssl-perl_1.35.orig.tar.gz
10c392b543c91e25d164f3ec538c65491f2516469dbf0b525f252edd7b0b8939 4574
libio-socket-ssl-perl_1.35-1.debian.tar.gz
1f59751ce2a6b4ba167fe70d92f66222a6acaf88c93c05d7f44f3a07c1ae3492 58716
libio-socket-ssl-perl_1.35-1_all.deb
Files:
28421c33b19b21c68f3bc2e6589b0571 2285 perl optional
libio-socket-ssl-perl_1.35-1.dsc
814126aa56e687a3ccc341be35c16cc5 67587 perl optional
libio-socket-ssl-perl_1.35.orig.tar.gz
20bd595901a49aa00e56b917d067f966 4574 perl optional
libio-socket-ssl-perl_1.35-1.debian.tar.gz
3eab83a707f7532139dda3316a647ea8 58716 perl optional
libio-socket-ssl-perl_1.35-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJM/LIfAAoJEHidbwV/2GP+5W0P/1z5yxxIxNn2kbud0e8+vAaw
hUo71ZZTV+A0BDvPudQqaaqXEQtMk07zxnNMnCYsDdPTuOsetcLBNgua3zVYLm2d
LLoQ4w2MQToOVL6LNtm4FtNWRx0xNbTfzNTacXZ7ykFW1syPC+Oxxzn8q0vpBJOT
13jBI9ogZ6XUyTzVdMtVGIJAbp/NiH1UQLUIUEwf3EQpoQe3LCP0Qy3ydXdUDpEj
JK0mTh0Di3h3R7m7rOLqlpZ4mBgq6CoFEJ9ByaPrdBapwy6IyBBun4Q5iNFrD9iN
Z/qdQvKHkE4YUtSwiFE34Is0nE5k5zqPTH+2xfvlyTL1VzuJXVL+yq/vANglumfT
BKWxvS7WPHtnZMmN3+OP7DkbnpqPaX0MK2bnW6ojZWvbU2iIsy0ojz8DIec8P/Mv
9N5YRZRpaT7av1hsbCfTj85D22yNA9ygZYprAqxeUGenGqoMWjlXTKAdxDje8tTw
mZn6y8sUlWIfuKlixnfSGr1mnPUomke4Ge0dCppDfZ8FjM9x2bZlM6Hu+aDruiE2
sHQG3clD/teYjCo9/HthMG1uomT14Y0ww1PWsqKyijbPSuSGynzKBN8MkoKpFV2/
p2YjzjJCOUsOp4Q7fd3+mtoHbkpneAXamrKUuMJzBRLvv+7YSSGG6nDQatiziMTB
vRqeDalTbFl7DG7LJsRt
=9EeH
-----END PGP SIGNATURE-----
--- End Message ---
