Re: [PATCH] send-email: improve SSL certificate verification

Torsten Bögershausen Mon, 15 Jul 2013 19:34:24 -0700

[snip]
I wasn't sure where to apply the patch, so I manually copy/paste it
on top of pu:
commit 6b1ca0f4d443ee8716857b871b0513ae85c9f112
Merge: bce90ab f351fcf


Thanks, t9001 passes on Mac OS X 10.6.
To be sure I didn't messed it up, please see the diff below.
When it shows up on pu, I can re-test of course.



diff --git a/git-send-email.perl b/git-send-email.perl
index a9a6661..a965b8e 100755
--- a/git-send-email.perl
+++ b/git-send-email.perl
@@ -28,7 +28,7 @@ use File::Temp qw/ tempdir tempfile /;
 use File::Spec::Functions qw(catfile);
 use Error qw(:try);
 use Git;
-use IO::Socket::SSL qw(SSL_VERIFY_PEER SSL_VERIFY_NONE);
+#use IO::Socket::SSL qw(SSL_VERIFY_PEER SSL_VERIFY_NONE);
 
 Getopt::Long::Configure qw/ pass_through /;
 
@@ -1092,19 +1092,34 @@ sub smtp_auth_maybe {
 # Helper to come up with SSL/TLS certification validation params
 # and warn when doing no verification
 sub ssl_verify_params {
-    if ($smtp_ssl_verify == 0) {
-        return (SSL_verify_mode => IO::Socket::SSL->SSL_VERIFY_NONE);
+    require IO::Socket::SSL;
+    eval {
+        IO::Socket::SSL->import(qw/SSL_VERIFY_PEER SSL_VERIFY_NONE/);
+    };
+    if ($@) {
+        print STDERR "Not using SSL_VERIFY_PEER due to out-of-date 
IO::Socket::SSL.\n";
+        return;
     }
 
-    if (! defined $smtp_ssl_cert_path) {
-        return (SSL_verify_mode => IO::Socket::SSL->SSL_VERIFY_PEER);
-    } elsif (-f $smtp_ssl_cert_path) {
-        return (SSL_verify_mode => IO::Socket::SSL->SSL_VERIFY_PEER,
-            SSL_ca_file => $smtp_ssl_cert_path);
-    } else {
-        return (SSL_verify_mode => IO::Socket::SSL->SSL_VERIFY_PEER,
+    if (!defined $smtp_ssl_cert_path) {
+        $smtp_ssl_cert_path ||= "/etc/ssl/certs";
+    }
+
+    if (!$smtp_ssl_cert_path) {
+        return (SSL_verify_mode => SSL_VERIFY_NONE());
+    }
+    elsif (-d $smtp_ssl_cert_path) {
+        return (SSL_verify_mode => SSL_VERIFY_PEER(),
             SSL_ca_path => $smtp_ssl_cert_path);
     }
+    elsif (-f $smtp_ssl_cert_path) {
+        return (SSL_verify_mode => SSL_VERIFY_PEER(),
+            SSL_ca_file => $smtp_ssl_cert_path);
+    }
+    else {
+        print STDERR "Not using SSL_VERIFY_PEER because the CA path does not 
exist.\n";
+        return (SSL_verify_mode => SSL_VERIFY_NONE());
+    }
 }
 
 # Returns 1 if the message was sent, and 0 otherwise.
@@ -1229,13 +1244,8 @@ X-Mailer: git-send-email $gitversion
                 if ($smtp->code == 220) {
                     $smtp = Net::SMTP::SSL->start_SSL($smtp,
                                       ssl_verify_params())
-                        or die "STARTTLS failed! ".$smtp->message;
-                    $smtp_encryption = '';
-                    # Send EHLO again to receive fresh
-                    # supported commands
-                    $smtp->hello($smtp_domain);
-                } else {
-                    die "Server does not support STARTTLS! ".$smtp->message;
+                        or die "STARTTLS failed! ".$smtp->message;
+
                 }
             }
         }

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] send-email: improve SSL certificate verification

Reply via email to