Package: libnet-ldap-perl Version: 1:0.4300-1 Severity: important Tags: patch
Hi, libnet-ldap-perl 0.4300-1 has a regression: It breaks calls to start_tls() completely and issues warnings on every LDAPS connection. The culprit is the addition of parameter SSL_verifycn_scheme => "ldap" to the SSL context in _SSL_context_init_args(). I see two alternative solutions to fix the issue: A) revert this addition This is done by the attached patch B) Fix the issue by useing the commit https://github.com/marschap/perl- ldap/commit/a3c4f7fe85129b036d915c9064752d9b542ad803 from my perl-ldap github repo, which I already proposed to put upstream in a pull request to G. Barr. Comparison of the two alternatives: Solution A) completely restores the situation of pre-0.43 releases, but leaves a risk for MITM attacks by not checking the host names in the certificates against the hostname an application connects. Solution B) mitigates this risk by doing the hostname verification, but my break applications that rely on the insecure behaviour. In addition to that: there's no guarantee that solution B) will be incorporated upstream. Nevertheless I personally prefer B) ;-) Best Peter PS: I am not sure if the potential security aspects should increase the severity even more. -- System Information: Debian Release: wheezy/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 3.0.0-1-686-pae (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libnet-ldap-perl depends on: ii libconvert-asn1-perl 0.22-1 Perl module for encoding and decod ii libwww-perl 6.02-1 simple and consistent interface to ii perl [libmime-base64-perl] 5.12.4-4 Larry Wall's Practical Extraction libnet-ldap-perl recommends no packages. Versions of packages libnet-ldap-perl suggests: ii libauthen-sasl-perl 2.1500-1 Authen::SASL - SASL Authentication ii libio-socket-ssl-perl 1.44-1 Perl module implementing object or ii liburi-perl 1.59-1 module to manipulate and access UR ii libxml-parser-perl 2.41-1 Perl module for parsing XML files ii libxml-sax-perl 0.96+dfsg-2 Perl module for using and building ii perl [libdigest-md5-perl] 5.12.4-4 Larry Wall's Practical Extraction -- no debconf information
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm --- a/lib/Net/LDAP.pm +++ b/lib/Net/LDAP.pm @@ -230,7 +230,6 @@ sub _SSL_context_init_args { SSL_verify_mode => $verify, SSL_version => defined $arg->{'sslversion'} ? $arg->{'sslversion'} : 'sslv2/3', - SSL_verifycn_scheme => "ldap", ); }