Your message dated Thu, 09 Dec 2010 14:47:34 +0000
with message-id <[email protected]>
and subject line Bug#606058: fixed in libio-socket-ssl-perl 1.33-1+squeeze1
has caused the Debian Bug report #606058,
regarding libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer
verification
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
606058: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606058
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security
Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.
This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.
It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.
While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.
I'm attaching two (mutually exclusive) patches to resolve this.
The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.
The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.
Of the two patches, i prefer no-default-ca-certs.patch.
The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay
ii netbase 4.43 Basic TCP/IP networking system
ii perl 5.10.1-16 Larry Wall's Practical Extraction
Versions of packages libio-socket-ssl-perl recommends:
ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn
Versions of packages libio-socket-ssl-perl suggests:
pn libio-socket-inet6-perl <none> (no description available)
-- no debconf information
diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
+ carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+ $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+ if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+ return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+ }
} else {
return IO::Socket::SSL->error("Invalid certificate authority locations");
}
diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
my $verify_mode = $arg_hash->{SSL_verify_mode};
if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
- ! Net::SSLeay::CTX_load_verify_locations(
+ ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+ ! Net::SSLeay::CTX_load_verify_locations(
$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
- if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
- carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
- $verify_mode = Net::SSLeay::VERIFY_NONE();
- } else {
- return IO::Socket::SSL->error("Invalid certificate authority locations");
- }
+ return IO::Socket::SSL->error("Invalid certificate authority locations");
}
if ($arg_hash->{'SSL_check_crl'}) {
--- End Message ---
--- Begin Message ---
Source: libio-socket-ssl-perl
Source-Version: 1.33-1+squeeze1
We believe that the bug you reported is fixed in the latest version of
libio-socket-ssl-perl, which is due to be installed in the Debian FTP archive:
libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
to
main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
libio-socket-ssl-perl_1.33-1+squeeze1.dsc
to main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1.dsc
libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
to
main/libi/libio-socket-ssl-perl/libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated
libio-socket-ssl-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 09 Dec 2010 10:56:23 +0100
Source: libio-socket-ssl-perl
Binary: libio-socket-ssl-perl
Architecture: source all
Version: 1.33-1+squeeze1
Distribution: testing-proposed-updates
Urgency: low
Maintainer: Debian Perl Group <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Description:
libio-socket-ssl-perl - Perl module implementing object oriented interface to
SSL sockets
Closes: 606058
Changes:
libio-socket-ssl-perl (1.33-1+squeeze1) testing-proposed-updates; urgency=low
.
* Change my email address.
* Patch SSL.pm to fix vulnerability with IO::Socket::SSL verify peer
mode which is ignored if no cert is supplied. This is CVE-2010-4334.
(Closes: #606058).
Checksums-Sha1:
6bf7b5c0fee4c7d58e26ecb9555733ad918f7ebb 2293
libio-socket-ssl-perl_1.33-1+squeeze1.dsc
943dca5c11df4ebe237b5d640c17fa84b8172f08 4374
libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
b6fb24b805ef4228ee3d90d51b63f1e3640d8c66 58526
libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
Checksums-Sha256:
2cc47f226d048720857973434b51ad47cf59189d4100d4a9b198bf45168908c7 2293
libio-socket-ssl-perl_1.33-1+squeeze1.dsc
11c51b1c949ffd3e39ea8ae1627f63fdb6569841bf2621a45e08f2452fca40cc 4374
libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
8f455b7edaf6a6628212d6192193f6a4549af355a2d42b356fc083145bd97a18 58526
libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
Files:
e4905003231067abf325cbdb3f403583 2293 perl optional
libio-socket-ssl-perl_1.33-1+squeeze1.dsc
2026aac372d96643e2808aa4a2008806 4374 perl optional
libio-socket-ssl-perl_1.33-1+squeeze1.diff.gz
165b54e613d7bd21d9efe1719a8ced0b 58526 perl optional
libio-socket-ssl-perl_1.33-1+squeeze1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQIcBAEBCAAGBQJNAOaYAAoJEHidbwV/2GP+9nsQAOTKKldcyDGuDzuA+y2KqBtd
wi2Af33gIsL9c57eKwv4kKdLSnI12S39AfWSX0GbNulfBuGfpjIwCpbovrbeMjhI
uimG265D4pUjguT0edRjCwxOz6qQky/P/6j48Hc8Aqe5tCl+iafHOotLDhGP1ePo
6G2WrJAtLOTu/SLcsj9M91EmV0w+C0Gs7Syl5LoSvwtpEAGXahVkvrED0Lm8IS0x
8BpP+3lnzU8PKBAnyAVuMYxZLl3Jd667FWRwxKm2QJx6n7k0UZDcHbGJOBkBoOF3
q4Ws+5t8DOHB0qjJYee0huNauibsEeRLz3RcMxRa0++UDGgyVib2RDmAFBtJOQte
5vY0gF+F4i+BzAZi8ZCUvSvJj8Fj2xWOTSs52PchPXmwZbPeccJzmMSI4VLxP5d7
NOwqjyINfqLpfNcqrqOG1T3q3T2m/Ce5xWI5eE9OIsqtd67J7dlq/IcnodwLeYX5
3PUvXCvEofakx/DJSDVn4wx4Hes71uuvjWE9E8CgZJPJfXdInyem3YTweKYp6ZDK
ExQSgg0D/VT7Np10+M2FdIc3p+p1ng/RkpDth1U7voatwCKMiKIN3u1xkbB6ydnM
8bnpn7g3Nxqz23orWlZDAlU/NPxxxgZUhCKpuG7UG+1IAzNBZ/rvVMaXWtMoMW67
fdsON9OoYXn+SikLXtQs
=1eWO
-----END PGP SIGNATURE-----
--- End Message ---
