[Bug 509819] perl-IO-Socket-SSL: incorrect checking of certificate hostnames

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=509819





--- Comment #8 from Tomas Hoger <thoger@xxxxxxxxxx>  2009-07-24 10:35:54 EDT ---
(In reply to comment #6)
> For RHEL5, do we want to add hostname verification to the older version?

I think if that is requested by the users, it can be done, but I don't think
this should be done under / because of this bug.

> If someone is relying on the *lack* of hostname verification, any app using
> this perl module could possibly break in a customer environment.  That would
> be a bad thing for an update to do.  Conversely, having hostname support
> increases security.

As far as I can see, risks should be rather low.  As name verification only
happens when it's requested explicitly by the application using the module
(either via verify_hostname method or SSL_verifycn_* options to new()).  Old
code should work with new module versions without regressions related to this,
but just a module version update will not automagically add hostname
verification to apps that don't do it today.

> Personally, I think that because RHEL5 and earlier didn't have support for it,
> *this* issue isn't a security issue to affect them.

Agree.  If someone needs a hostname verification support in RHEL5 packages, it
should be requested via RFE bug.

Additionally, I had a look at applications using IO::Socket::SSL in RHEL5. 
There are only 2 components in the distribution:

- spamassassin - Used for optional SSL encryption for spamd <-> spamc
communication.  Only used on server side (spamd), as client (spamc) is written
in C and is using OpenSSL directly.  Hence this feature is irrelevant to
spamassassin.

- perl-LDAP - This module does not have support for hostname verification, not
even in the latest git version to date.  Hence without further modifications of
perl-LDAP itself, it won't benefit from hostname verification support in
IO::Socket::SSL.

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

--
Fedora Extras Perl SIG
http://www.fedoraproject.org/wiki/Extras/SIGs/Perl
Fedora-perl-devel-list mailing list
Fedora-perl-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-perl-devel-list

[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Legacy Announce]     [Fedora PHP Devel]     [Kernel Devel]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite Information]
  Powered by Linux