gregor herrmann wrote: > On Fri, 19 Sep 2008 14:19:57 +0200, Christopher Odenbach wrote: > > [Full quote for the release team.] > >>>> are there any chances to get the new libio-socket-ssl-perl from sid into >>>> lenny before release? After which period of time of being in sid do >>>> packages automatically enter testing? >>> I'm afraid the chances are very low. >>> Lenny is frozen since 27th July [0], which means that packages move from >>> sid to lenny only after a manual approval by the release team. The >>> current guidelines for freeze exception from 1st December can be >>> found at [0] and [1], and I think that libio-socket-ssl-perl does not >>> qualify [2]. >> Well, the changes in IO::Socket::SSL really are quite security-related. >> If you have a look at e.g. the Net::LDAP documentation, it says: >> >> === >> First of all, LDAPS can solve the problem of verifying that you are >> connected to the correct server. When the client and server connect, >> they perform a special SSL 'handshake', part of which involves the >> server and client exchanging cryptographic keys, which are described >> using X.509 certificates. If the client wishes to confirm that it is >> connected to the correct server, all it needs to do is verify the >> server's certificate which is sent in the handshake. This is done in two >> ways: >> >> 1. check that the certificate is signed (trusted) by someone that you >> trust, and that the certificate hasn't been revoked. For instance, the >> server's certificate may have been signed by Verisign >> (www.verisign.com), and you decide that you want to trust Verisign to >> sign legitimate certificates. >> 2. check that the least-significant cn RDN in the server's >> certificate's DN is the fully-qualified hostname of the hostname that >> you connected to when creating the LDAPS object. For example if the >> server is <cn=ldap.example.com,ou=My department,o=My company>, then the >> RDN to check is cn=ldap.example.com. >> >> You can do this by using the cafile and capath options when creating a >> Net::LDAPS object, and by setting the verify option to 'require'. >> === >> >> Without the new version of IO::Socket::SSL the last sentence is WRONG: >> Setting the verify option to 'require' just makes sure that point 1 is >> checked correctly. BUT: There is absolutely no code in Net::LDAP that >> checks point 2! Even worse: As a user of Net::LDAP you really have no >> chance at all to check the hostname yourself, as there is no hook in the >> code which would enable you to do so. >> >> The new version of IO::Socket::SSL includes the neccessary code to >> enable other modules to verify the hostname. If a module does not do >> this, IO::Socket::SSL falls back to the default of verifying the >> hostname if 'require' is on - so it does exactly what the Net::LDAP >> documentation states. >> >> This is of course at first a bug in Net::LDAP (either in the >> documentation or in the implementation), but IO::Socket::SSL does help >> other modules a lot by implementing the neccessary code for hostname >> verification. > > I see your point. > >> If you do not think that you can help, who should I talk to about this >> matter? This is definitely not only about Net::LDAP but about every >> single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP, >> LDAP, IMAP, POP, SMTP, ...). > > It's the decision of the release team, therefore I'm cc'ing them and > ask for their opinion instead of guessing what they may think :) > > (Thread starting at http://lists.debian.org/debian-perl/2008/09/msg00121.html > )
Please provide a diff with all the whitespace changes in SSL.pm stripped. Cheers Luk -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
