|Subject:||Default CA list should rely on IO::Socket::SSL instead of Mozilla::CA|
|Date:||Wed, 13 Mar 2019 22:50:56 +0100|
|To:||bug-LWP-Protocol-https [...] rt.cpan.org|
|From:||Jérémie Detrey <Jeremie.Detrey [...] loria.fr>|
Hi, When no SSL_ca_file nor SSL_ca_path is set, LWP::Protocol::https uses the CA list provided by Mozilla::CA. IO::Socket::SSL embeds a mechanism for looking for system-dependent certificate stores (with a fallback to Mozilla::CA if no such store is available), but this mechanism is bypassed altogether since LWP::Protocol::https forces the value of SSL_ca_file to Mozilla::CA::SSL_ca_file(). Changing this behavior in order to rely on the default mechanism offered by IO::Socket::SSL might improve security, as system-wide certificate stores will usually be more up-to-date than the Mozilla::CA Perl package. Cheers, Jérémie.