Skip Menu |
 

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 63637
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL

People
Owner: Nobody in particular
Requestors: carnil [...] debian.org
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



CC: Daniel Kahn Gillmor <dkg [...] fifthhorseman.net>, 606058 [...] bugs.debian.org
Subject: IO::Socket::SSL ignores user request for peer verification
Date: Mon, 6 Dec 2010 07:55:46 +0100
To: bug-IO-Socket-SSL [...] rt.cpan.org
From: Salvatore Bonaccorso <carnil [...] debian.org>
Download (untitled) / with headers
text/plain 5.2k
Hi Daniel, Hi Steffen Daniel Kahn Gillmor reported to our Bugtracker in Debian the report below (See: http://bugs.debian.org/606058). Steffen, what do you think, would be best? Bests Salvatore ----- Forwarded message from Daniel Kahn Gillmor <dkg@fifthhorseman.net> ----- From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Resent-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net> Reply-To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, 606058@bugs.debian.org X-Mailer: reportbug 4.12.6 Date: Sun, 05 Dec 2010 20:42:23 -0500 To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: Bug#606058: libio-socket-ssl-perl: IO::Socket::SSL ignores user request for peer verification Package: libio-socket-ssl-perl Version: 1.34-1 Severity: normal Tags: patch , security Using IO::Socket::SSL, if i set verify_mode to 0x03 (verify peer, fail verification if no peer certificate exists), these requests are removed unless i also supply either ca_file or ca_path. This is demonstrably the wrong behavior if (for example) the user supplies a verify_callback. It also means that IO::Socket::SSL "fails open" if the user simply forgets to supply information about the acceptable set of "trusted" CAs -- which seems like a particularly bad thing for a module whose explicit purpose is improving communications security. While i'm glad that the module carps that it is failing open, there is nothing in the documentation to suggest that this behavior will happen, and, well, it just seems wrong that it happens in the first place. I'm attaching two (mutually exclusive) patches to resolve this. The first patch (default-to-etc-ssl-certs.patch) is less aggressive -- if the user sets verify_mode to a non-zero value, but does not supply either ca_file or ca_path, it uses /etc/ssl/certs as ca_path -- this is managed by the sysadmin on debian systems, and is usually populated by the ca-certificates package. The second patch (no-default-ca-certs.patch) simply doesn't check for this condition at all, and allows the underlying library to make the decision. Of the two patches, i prefer no-default-ca-certs.patch. The documentation makes references to ca/ and certs/my-ca.pem -- if these are actually used by the tool, then no-default-ca-certs.patch is definitely the way to go. --dkg -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.36-trunk-686 (SMP w/1 CPU core) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libio-socket-ssl-perl depends on: ii libnet-ssleay-perl 1.36-1 Perl module for Secure Sockets Lay ii netbase 4.43 Basic TCP/IP networking system ii perl 5.10.1-16 Larry Wall's Practical Extraction Versions of packages libio-socket-ssl-perl recommends: ii libnet-libidn-perl 0.12.ds-1+b1 Perl bindings for GNU Libidn Versions of packages libio-socket-ssl-perl suggests: pn libio-socket-inet6-perl <none> (no description available) -- no debconf information diff --git a/SSL.pm b/SSL.pm index ffb4029..7c8861b 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1367,8 +1367,11 @@ sub new { ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); + carp("verify requested, but neither SSL_ca_file nor SSL_ca_path known; defaulting to SSL_ca_path = /etc/ssl/certs"); + $arg_hash->{SSL_ca_path} = '/etc/ssl/certs'; + if ( ! Net::SSLeay::CTX_load_verify_locations($ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '/etc/ssl/certs') ) { + return IO::Socket::SSL->error("Error loading default ca_path /etc/ssl/certs "); + } } else { return IO::Socket::SSL->error("Invalid certificate authority locations"); } diff --git a/SSL.pm b/SSL.pm index ffb4029..4d20dd7 100644 --- a/SSL.pm +++ b/SSL.pm @@ -1364,14 +1364,10 @@ sub new { my $verify_mode = $arg_hash->{SSL_verify_mode}; if ( $verify_mode != Net::SSLeay::VERIFY_NONE() and - ! Net::SSLeay::CTX_load_verify_locations( + ( $arg_hash->{SSL_ca_file} || $arg_hash->{SSL_ca_path} ) and + ! Net::SSLeay::CTX_load_verify_locations( $ctx, $arg_hash->{SSL_ca_file} || '',$arg_hash->{SSL_ca_path} || '') ) { - if ( ! $arg_hash->{SSL_ca_file} && ! $arg_hash->{SSL_ca_path} ) { - carp("No certificate verification because neither SSL_ca_file nor SSL_ca_path known"); - $verify_mode = Net::SSLeay::VERIFY_NONE(); - } else { - return IO::Socket::SSL->error("Invalid certificate authority locations"); - } + return IO::Socket::SSL->error("Invalid certificate authority locations"); } if ($arg_hash->{'SSL_check_crl'}) { Show quoted text
_______________________________________________ pkg-perl-maintainers mailing list pkg-perl-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-perl-maintainers
----- End forwarded message -----

Message body is not shown because sender requested not to inline it.

Message body is not shown because sender requested not to inline it.

Download signature.asc
application/pgp-signature 835b

Message body not shown because it is not plain text.

CC: bug-IO-Socket-SSL [...] rt.cpan.org, 606058 [...] bugs.debian.org
Subject: [rt.cpan.org #63637] Re: IO::Socket::SSL ignores user request for peer verification
Date: Mon, 06 Dec 2010 02:25:09 -0500
To: Salvatore Bonaccorso <carnil [...] debian.org>
From: Daniel Kahn Gillmor <dkg [...] fifthhorseman.net>
Download (untitled) / with headers
text/plain 720b
Thanks for forwarding this, Salvatore-- On 12/06/2010 01:55 AM, Salvatore Bonaccorso wrote: Show quoted text
> Of the two patches, i prefer no-default-ca-certs.patch. > > The documentation makes references to ca/ and certs/my-ca.pem -- if > these are actually used by the tool, then no-default-ca-certs.patch is > definitely the way to go.
Hrm, as i look at it further, i'm not entirely sure that no-default-ca-certs operates as expected with users who relying on the defaults of ca/ or certs/my-ca.pem. I do think that IO::Socket::SSL needs to fail *closed* though, and not revert to accepting unverified connections in the event that the user forgets to specify CAs (or fails to correctly populate the default locations). --dkg
Download signature.asc
application/pgp-signature 900b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 813b
Thanks for pointing out the problem. I've changed it for version 1.35 like given in the no-defaults-cacert.patch, e.g. - the default verify_mode stays verify_none - if the user wants a different verify_mode SSL.pm should not ignore the users request if it will not work or set some undocumented defaults, but throw an error - the default for SSL_ca_file and SSL_ca_path will stay because they were documented for a long time. Actually, i'm not that happy with having these defaults for SSL_ca_* and SSL_verify_mode but would rather have the user to explicitly specify mode and path - it's a security decision which should not have any defaults. But because it was forever like this I risk to break some application due to this, so I rather do it later after finding a strategy of not breaking to much.
CC: behroozi [...] www.pls.uni.edu, Daniel Kahn Gillmor <dkg [...] fifthhorseman.net>
Subject: Re: [rt.cpan.org #63637] IO::Socket::SSL ignores user request for peer verification
Date: Mon, 6 Dec 2010 10:38:13 +0100
To: Steffen Ullrich via RT <bug-IO-Socket-SSL [...] rt.cpan.org>
From: Salvatore Bonaccorso <carnil [...] debian.org>
Download (untitled) / with headers
text/plain 132b
Hi Steffen Wow, thanks for the fast reply and updating! I will upload the fixed version to Debian unstable today. Bests Salvatore
Download signature.asc
application/pgp-signature 835b

Message body not shown because it is not plain text.

request done


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.