Re: ldaps ssl validation

Wed, 03 Aug 2011 16:48:52 -0700 

Excerpts from Chris Ridd's message of 2011-08-03 11:27:03 -0700:
> The patch looks good to me, I think it should go in. Does it force a
> new minimum version of IO::Socket::SSL?

It looks like perl-ldap currently depends on IO::Socket::SSL version
0.93 or greater. The feature my patch uses appears to have been
introduced in version 1.14 of IO::Socket::SSL: 

  v1.14
  - added support for verification of hostname from certificate including
    subjectAltNames, support for IDN etc based on patch and input from
    christopher[AT]odenbachs[DOT]de and achim[AT]grolmsnet[DOT]de.
    It is also possible to get more information from peer_certificate
    based on this patch. See documentation for peer_certificate and
    verify_hostname
  - automatic verification of hostnames with SSL_verifycn_scheme and
    SSL_verifycn_name

though there's a security bugfix in v1.2.6 that would be nice to have if
we want to advertise more complete certificate validation.

  v1.26 2009.07.03
  - SECURITY BUGFIX!
    fix Bug in verify_hostname_of_cert where it matched only the prefix for
    the hostname when no wildcard was given, e.g. www.example.org matched
    against a certificate with name www.exam in it Thanks to MLEHMANN for
    reporting 

(from http://cpan.uwinnipeg.ca/htdocs/IO-Socket-SSL/Changes.html)

Specifying v1.26 as the new minimum version of IO::Socket::SSL is one
way to handle that issue. In a quick test I did just now, it seems that
IO::Socket::SSL is content to ignore options that it doesn't understand
in the options hash that my patch modifies, so the patch wouldn't
necessarily cause perl-ldap to break against older versions of
IO::Socket::SSL; it'd just fail to validate the certificate, as it does
now. I'd prefer to require a more recent version of IO::Socket::SSL,
since that seems like a more complete fix, but I guess that's up to the
maintainers and not me. :-)

I suppose that this change will also break installations running with
broken certificates and verify => 'optional' or verify => 'require'. I
don't think that's a reason to avoid the change, but it should probably
be featured prominently in the changelog so it doesn't surprise anyone.

Thanks,
-- 
Kevan Carstensen                        <kacarsten...@csupomona.edu>
Operating Systems Analyst, I&IT Systems, Cal Poly Pomona

Reply via email to