Skip to content

LWP::Protocol::https/_check_sock() has insufficient certificate checking [rt.cpan.org #43733] #40

New issue
New issue
Open
Open
LWP::Protocol::https/_check_sock() has insufficient certificate checking [rt.cpan.org #43733]#40
@oalders

Description

@oalders
oalders
opened on Mar 31, 2017

Migrated from rt.cpan.org#43733 (status was 'open')

Requestors:

From [email protected] on 2009-02-28 12:30:17:

Forwarding from http://bugs.debian.org/507402
---

Forwarded from Ubuntu #198874 
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):

The reporter states:
"See LWP::Protocol::https class, the _check_sock function:

we don't execute $sock->get_peer_verify before checking the cert's 
subject against $req->header("If-SSL-Cert-Subject").

$sock->get_peer_verify gets called only *after* we have pushed all of 
our request to the server (possibly containing critical data including 
passwords) -- that is BAAAAD. Basically, all of that renders SSL support 
in LWP::UserAgent not only meaningless, but also gives the user 
impression of security, which is not only bad, but almost a malicious 
thing to do.

More experimentation has shown that this only happens when doing "use 
IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows 
the opposite behaviour: unverified server certs are NEVER accepted. I 
don't even know how to set the verification level und neither seems to 
be documented what exactly gets verified.... (server name at least?? How 
about redirects?....)

Please fix this and/or report it upstream because I consider it a major 
issue."

From [email protected] on 2017-01-25 21:41:06:

migrated queues: libwww-perl -> LWP-Protocol-https

From [email protected] on 2017-01-25 22:16:28:

Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Debian Perl Group <[email protected]>

If you wish to submit further information on this problem, please
send it to [email protected].

Please do not send mail to [email protected] unless you wish
to report a problem with the Bug-tracking system.

-- 
507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402
Debian Bug Tracking System
Contact [email protected] with problems

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions