Hi Daniel, Hi Steffen Daniel Kahn Gillmor reported to our Bugtracker in Debian the report below (See: http://bugs.debian.org/606058). Steffen, what do you think, would be best?
Bests Salvatore ----- Forwarded message from Daniel Kahn Gillmor <d...@fifthhorseman.net> ----- From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Resent-From: Daniel Kahn Gillmor <d...@fifthhorseman.net> Reply-To: Daniel Kahn Gillmor <d...@fifthhorseman.net>, 606...@bugs.debian.org X-Mailer: reportbug 4.12.6 Date: Sun, 05 Dec 2010 20:42:23 -0500 To: Debian Bug Tracking System <sub...@bugs.debian.org> Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification Package: libio-socket-ssl-perl Version: 1.34-1 Severity: normal Tags: patch , security Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail verification if no peer certificate exists), these requests are removed unless i also supply either ca_file or ca_path. This is demonstrably the wrong behavior if (for example) the user supplies a verify_callback. It also means that IO::Socket::SSL "fails open" if the user simply forgets to supply information about the acceptable set of "trusted" CAs -- which seems like a particularly bad thing for a module whose explicit purpose is improving communications security. While i'm glad that the module carps that it is failing open, there is nothing in the documentation to suggest that this behavior will happen, and, well, it just seems wrong that it happens in the first place. I'm attaching two (mutually exclusive) patches to resolve this. The first patch (default-to-etc-ssl-certs.patch) is less aggressive -- if the user sets verify_mode to a non-zero value, but does not supply either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this is managed by the sysadmin on debian systems, and is usually populated by the ca-certificates package. The second patch (no-default-ca-certs.patch) simply doesn't check for this condition at all, and allows the underlying library to make the decision. Of the two patches, i prefer no-default-ca-certs.patch. The documentation makes references to ca/ and certs/my-ca.pem -- if these are actually used by the tool, then no-default-ca-certs.patch is definitely the way to go. --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libio-socket-ssl-perl depends on: ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay ii netbase 4.43 Basic TCP/IP networking system ii perl 5.10.1-16 Larry Wall's Practical Extraction Versions of packages libio-socket-ssl-perl recommends: ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn Versions of packages libio-socket-ssl-perl suggests: pn libio-socket-inet6-perl <none> (no description available) -- no debconf information diff --git a/SSL.pm b/SSL.pm index ffb4029..7c8861b 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1367,8 +1367,11 @@ sub new { ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); + carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs"); + $arg_hash->{SSL_ca_path} = '/etc/ssl/certs'; + if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) { + return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs "); + } } else { return IO::Socket::SSL->error("Invalid certificate authority locations"); } diff --git a/SSL.pm b/SSL.pm index ffb4029..4d20dd7 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1364,14 +1364,10 @@ sub new { my $verify_mode = $arg_hash->{SSL_verify_mode}; if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and - ! Net::SSLeay::CTX_load_verify_locations( + ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and + ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { - if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL->error("Invalid certificate authority locations"); - } + return IO::Socket::SSL->error("Invalid certificate authority locations"); } if ($arg_hash->{'SSL_check_crl'}) { _______________________________________________ pkg-perl-maintainers mailing list pkg-perl-maintain...@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers ----- End forwarded message -----
diff --git a/SSL.pm b/SSL.pm index ffb4029..7c8861b 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1367,8 +1367,11 @@ sub new { ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); + carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs"); + $arg_hash->{SSL_ca_path} = '/etc/ssl/certs'; + if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) { + return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs "); + } } else { return IO::Socket::SSL->error("Invalid certificate authority locations"); }
diff --git a/SSL.pm b/SSL.pm index ffb4029..4d20dd7 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1364,14 +1364,10 @@ sub new { my $verify_mode = $arg_hash->{SSL_verify_mode}; if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and - ! Net::SSLeay::CTX_load_verify_locations( + ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and + ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { - if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL->error("Invalid certificate authority locations"); - } + return IO::Socket::SSL->error("Invalid certificate authority locations"); } if ($arg_hash->{'SSL_check_crl'}) {
signature.asc
Description: Digital signature