Skip Menu |
 

This queue is for tickets about the LWP-Protocol-https CPAN distribution.

Report information
The Basics
Id: 43733
Status: resolved
Priority: 0/
Queue: LWP-Protocol-https

People
Owner: Nobody in particular
Requestors: antonio [...] dyne.org
Cc: 507402 [...] bugs.debian.org
AdminCc:

Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: (no value)



CC: 507402 [...] bugs.debian.org
Subject: LWP::Protocol::https/_check_sock() has insufficient certificate checking
Download (untitled) / with headers
text/plain 1.1k
Forwarding from http://bugs.debian.org/507402 --- Forwarded from Ubuntu #198874 (https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874): The reporter states: "See LWP::Protocol::https class, the _check_sock function: we don't execute $sock->get_peer_verify before checking the cert's subject against $req->header("If-SSL-Cert-Subject"). $sock->get_peer_verify gets called only *after* we have pushed all of our request to the server (possibly containing critical data including passwords) -- that is BAAAAD. Basically, all of that renders SSL support in LWP::UserAgent not only meaningless, but also gives the user impression of security, which is not only bad, but almost a malicious thing to do. More experimentation has shown that this only happens when doing "use IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows the opposite behaviour: unverified server certs are NEVER accepted. I don't even know how to set the verification level und neither seems to be documented what exactly gets verified.... (server name at least?? How about redirects?....) Please fix this and/or report it upstream because I consider it a major issue."
migrated queues: libwww-perl -> LWP-Protocol-https
Subject: Bug#507402: Info received ([rt.cpan.org #43733] LWP::Protocol::https/_check_sock() has insufficient certificate checking)
Date: Wed, 25 Jan 2017 21:51:03 +0000
To: bug-libwww-perl [...] rt.cpan.org
From: owner [...] bugs.debian.org (Debian Bug Tracking System)
Download (untitled) / with headers
text/plain 799b
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> If you wish to submit further information on this problem, please send it to 507402@bugs.debian.org. Please do not send mail to owner@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
Subject: Bug#507402: Info received ([rt.cpan.org #43733] LWP::Protocol::https/_check_sock() has insufficient certificate checking)
Date: Fri, 31 Mar 2017 19:42:06 +0000
To: bug-LWP-Protocol-https [...] rt.cpan.org
From: owner [...] bugs.debian.org (Debian Bug Tracking System)
Download (untitled) / with headers
text/plain 799b
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> If you wish to submit further information on this problem, please send it to 507402@bugs.debian.org. Please do not send mail to owner@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402 Debian Bug Tracking System Contact owner@bugs.debian.org with problems


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.