Bug#606058: IO::Socket::SSL ignores user request for peer verification

Salvatore Bonaccorso Sun, 05 Dec 2010 22:57:30 -0800

Hi Daniel, Hi Steffen

Daniel Kahn Gillmor reported to our Bugtracker in Debian the report
below (See: http://bugs.debian.org/606058). Steffen, what do you
think, would be best?


Bests
Salvatore

----- Forwarded message from Daniel Kahn Gillmor <d...@fifthhorseman.net> -----

From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Resent-From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Reply-To: Daniel Kahn Gillmor <d...@fifthhorseman.net>,
        606...@bugs.debian.org
X-Mailer: reportbug 4.12.6
Date: Sun, 05 Dec 2010 20:42:23 -0500
To: Debian Bug Tracking System <sub...@bugs.debian.org>
Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user
        request for peer verification

Package: libio-socket-ssl-perl
Version: 1.34-1
Severity: normal
Tags: patch , security

Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail
verification if no peer certificate exists), these requests are
removed unless i also supply either ca_file or ca_path.

This is demonstrably the wrong behavior if (for example) the user
supplies a verify_callback.

It also means that IO::Socket::SSL "fails open" if the user simply
forgets to supply information about the acceptable set of "trusted"
CAs -- which seems like a particularly bad thing for a module whose
explicit purpose is improving communications security.

While i'm glad that the module carps that it is failing open, there is
nothing in the documentation to suggest that this behavior will
happen, and, well, it just seems wrong that it happens in the first
place.

I'm attaching two (mutually exclusive) patches to resolve this.

The first patch (default-to-etc-ssl-certs.patch) is less aggressive --
if the user sets verify_mode to a non-zero value, but does not supply
either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this
is managed by the sysadmin on debian systems, and is usually populated
by the ca-certificates package.

The second patch (no-default-ca-certs.patch) simply doesn't check for
this condition at all, and allows the underlying library to make the
decision.

Of the two patches, i prefer no-default-ca-certs.patch.

The documentation makes references to ca/ and certs/my-ca.pem -- if
these are actually used by the tool, then no-default-ca-certs.patch is
definitely the way to go.

           --dkg

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libio-socket-ssl-perl depends on:
ii  libnet-ssleay-perl            1.36-1     Perl module for Secure Sockets Lay
ii  netbase                       4.43       Basic TCP/IP networking system
ii  perl                          5.10.1-16  Larry Wall's Practical Extraction 

Versions of packages libio-socket-ssl-perl recommends:
ii  libnet-libidn-perl          0.12.ds-1+b1 Perl bindings for GNU Libidn

Versions of packages libio-socket-ssl-perl suggests:
pn  libio-socket-inet6-perl       <none>     (no description available)

-- no debconf information

diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
                ! Net::SSLeay::CTX_load_verify_locations(
                        $ctx, $arg_hash->{SSL_ca_file} || 
'',$arg_hash->{SSL_ca_path} || '') ) {
                if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) 
{
-                       carp("No certificate verification because neither 
SSL_ca_file nor SSL_ca_path known");
-                       $verify_mode = Net::SSLeay::VERIFY_NONE();
+                       carp("verify requested, but neither SSL_ca_file nor 
SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+                        $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+                        if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, 
$arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+                          return IO::Socket::SSL->error("Error loading default 
ca_path /etc/ssl/certs ");
+                        }
                } else {
                        return IO::Socket::SSL->error("Invalid certificate 
authority locations");
                }

diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
 
        my $verify_mode = $arg_hash->{SSL_verify_mode};
        if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
-               ! Net::SSLeay::CTX_load_verify_locations(
+             ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+             ! Net::SSLeay::CTX_load_verify_locations(
                        $ctx, $arg_hash->{SSL_ca_file} || 
'',$arg_hash->{SSL_ca_path} || '') ) {
-               if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) 
{
-                       carp("No certificate verification because neither 
SSL_ca_file nor SSL_ca_path known");
-                       $verify_mode = Net::SSLeay::VERIFY_NONE();
-               } else {
-                       return IO::Socket::SSL->error("Invalid certificate 
authority locations");
-               }
+          return IO::Socket::SSL->error("Invalid certificate authority 
locations");
        }
 
        if ($arg_hash->{'SSL_check_crl'}) {

_______________________________________________
pkg-perl-maintainers mailing list
pkg-perl-maintain...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers

----- End forwarded message -----

diff --git a/SSL.pm b/SSL.pm
index ffb4029..7c8861b 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1367,8 +1367,11 @@ sub new {
 		! Net::SSLeay::CTX_load_verify_locations(
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
 		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-			$verify_mode = Net::SSLeay::VERIFY_NONE();
+			carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs");
+                        $arg_hash->{SSL_ca_path} = '/etc/ssl/certs';
+                        if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) {
+                          return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs ");
+                        }
 		} else {
 			return IO::Socket::SSL->error("Invalid certificate authority locations");
 		}

diff --git a/SSL.pm b/SSL.pm
index ffb4029..4d20dd7 100644
--- a/SSL.pm
+++ b/SSL.pm
@@ -1364,14 +1364,10 @@ sub new {
 
 	my $verify_mode = $arg_hash->{SSL_verify_mode};
 	if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and
-		! Net::SSLeay::CTX_load_verify_locations(
+             ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and
+             ! Net::SSLeay::CTX_load_verify_locations(
 			$ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) {
-		if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) {
-			carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known");
-			$verify_mode = Net::SSLeay::VERIFY_NONE();
-		} else {
-			return IO::Socket::SSL->error("Invalid certificate authority locations");
-		}
+          return IO::Socket::SSL->error("Invalid certificate authority locations");
 	}
 
 	if ($arg_hash->{'SSL_check_crl'}) {

signature.asc
Description: Digital signature

Bug#606058: IO::Socket::SSL ignores user request for peer verification

Reply via email to