Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 106711
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: dr1027 [...] evocat.net
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



Subject: Multiple directories in SSL_ca_path
Date: Fri, 28 Aug 2015 17:16:18 +0100
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: dr1027 [...] evocat.net
Download (untitled) / with headers
text/plain 977b
OpenSSL's SSL_CTX_load_verify_locations() accepts a list of directories to search for certificates, eg (under unix) "/home/foo/certs:/etc/ssl/certs". Hence Net::SSLeay::CTX_load_verify_locations does as well. Could IO::Socket::SSL therefore also accept such a list, eg my $client = IO::Socket::SSL->new( ... SSL_ca_path => '/home/foo/certs:/etc/ssl/certs', ... ); Possibly the only changes needed to IO::Socket::SSL are on the checks as to whether SSL_ca_path exists and is accessible. The checks would have to be applied to each directory in SSL_ca_path instead of assuming it is a single directory. (I appreciate the documentation for CTX_load_verify_locations suggests only a single directory can be given. However, crypto/x509/by_dir.c:add_cert_dir in the openssl source splits up the CA path according to LIST_SEPARATOR_CHAR defined in e_os.h as ':',';' or ',' according to OS. This seems to have been the case since openssl v0.9.1c or earlier.) Thanks, David
Subject: Re: [rt.cpan.org #106711] AutoReply: Multiple directories in SSL_ca_path
Date: Wed, 16 Sep 2015 16:12:34 +0100
To: Bugs in IO-Socket-SSL via RT <bug-IO-Socket-SSL [...] rt.cpan.org>
From: David Rourke <dr1027 [...] evocat.net>
Download (untitled) / with headers
text/plain 210b
A workaround is to specify the path via the default_ca() method and not in new(): IO::Socket::SSL::default_ca(SSL_ca_path=>'/home/foo/certs:/etc/ssl/certs'); my $client = IO::Socket::SSL->new( ... ); David
Download (untitled) / with headers
text/plain 423b
Thanks for your input. With 2.020 one can now have multiple path inside SSL_ca_path. From the documentation: "SSL_ca_path" can also be an array or a string containing multiple path, where the path are separated by the platform specific separator. This separator is ";" on DOS, Windows, Netware, "," on VMS and ":" for all the other systems. If multiple path are given at least one of these must be accessible.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.