|CC:||507402 [...] bugs.debian.org|
|Subject:||LWP::Protocol::https/_check_sock() has insufficient certificate checking|
Forwarding from--- Forwarded from Ubuntu #198874 ( : The reporter states: "See LWP::Protocol::https class, the _check_sock function: we don't execute $sock->get_peer_verify before checking the cert's subject against $req->header("If-SSL-Cert-Subject"). $sock->get_peer_verify gets called only *after* we have pushed all of our request to the server (possibly containing critical data including passwords) -- that is BAAAAD. Basically, all of that renders SSL support in LWP::UserAgent not only meaningless, but also gives the user impression of security, which is not only bad, but almost a malicious thing to do. More experimentation has shown that this only happens when doing "use IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows the opposite behaviour: unverified server certs are NEVER accepted. I don't even know how to set the verification level und neither seems to be documented what exactly gets verified.... (server name at least?? How about redirects?....) Please fix this and/or report it upstream because I consider it a major issue."