Skip Menu | will be shut down on March 1st, 2021.

Preferred bug tracker

Please visit the preferred bug tracker to report your issue.

This queue is for tickets about the XML-Stream CPAN distribution.

Report information
The Basics
Id: 57649
Status: resolved
Priority: 0/
Queue: XML-Stream

Owner: dapatrick [...]
Requestors: andersk [...]

Bug Information
Severity: Critical
Broken in:
  • 1.13
  • 1.14
  • 1.15
  • 1.16
  • 1.17
  • 1.18
  • 1.19
  • 1.20
  • 1.21
  • 1.22
  • 1.23
  • 1.23_01
Fixed in: 1.23_02

Subject: Does not verify the remote SSL certificate
Download (untitled) / with headers
text/plain 414b
XML::Stream creates all SSL connections with SSL_verify_mode=>0x00. This is a security vulnerability, since it does not verify the remote SSL certificate, letting any attacker perform a man-in-the-middle attack on the connection. If SSL is requested, XML::Stream should verify the SSL certificate by default (perhaps with an additional option to disable verification, to be used only for testing purposes).
Download (untitled) / with headers
text/plain 245b
Anders, Sorry for taking so long to get back to you. Yes, indeed this is a problem and I will fix it immediately. I'll let you know when a fix has been committed to trunk. I plan on publishing a new release before the end of the week. Darian
Download (untitled) / with headers
text/plain 473b
Hi Anders, I'm preparing the a developer release of XML::Stream. The following commit includes a fix for the issue you've reported: I have a couple of other issues to take care of, then this release will be published to CPAN as XML-Stream-1.23_02. In the meantime, feel free to clone the repo and give it a test. I will be pushing corresponding changes to Net::XMPP shortly. Best, Darian

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to