https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Tomas Hoger <thoger@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|high |medium Whiteboard|impact=important,public=201 |impact=moderate,public=2014 |40501,reported=20140501,sou |0501,reported=20140501,sour |rce=debian,cvss2=5.8/AV:N/A |ce=debian,cvss2=5.8/AV:N/AC |C:M/Au:N/C:P/I:P/A:N,fedora |:M/Au:N/C:P/I:P/A:N,fedora- |-all/perl-libwww-perl=affec |all/perl-libwww-perl=affect |ted,rhel-5/perl-libwww-perl |ed,rhel-5/perl-libwww-perl= |=notaffected,rhel-6/perl-li |notaffected,rhel-6/perl-lib |bwww-perl=notaffected,rhel- |www-perl=notaffected,rhel-7 |7/perl-libwww-perl=affected |/perl-libwww-perl=affected Severity|high |medium --- Comment #14 from Tomas Hoger <thoger@xxxxxxxxxx> --- (In reply to Vincent Danen from comment #0) > This issue did not affect the versions of perl-libwww-perl as shipped with > Red Hat Enterprise Linux 5 and 6. It should be noted that versions of perl-libwww-perl in Red Hat Enterprise Linux 6 do not perform SSL certificate verification by default (see bug 705044, including an example of how to enable certificate checks in IO::Socket::SSL in bug 705044 comment 7). The change to enable SSL verification by default was made upstream in version 6.0. Upstream version 6.0 also introduced ways to control certificate verification: - Via LWP::UserAgent ssl_opts attribute: http://search.cpan.org/dist/libwww-perl/lib/LWP/UserAgent.pm#ATTRIBUTES These allow specifying a path to file (SSL_ca_file) or directory (SSL_ca_path) with CA certificates, and whether host name verification should be performed (verify_hostname). If these are not set in a script, environment variables are checked in the following order: - PERL_LWP_SSL_* variables first, including: PERL_LWP_SSL_VERIFY_HOSTNAME, PERL_LWP_SSL_CA_FILE, and PERL_LWP_SSL_CA_PATH - HTTPS_CA_* if PERL_LWP_SSL_* are not set: HTTPS_CA_FILE, and HTTPS_CA_DIR. When these are used, host name verification is automatically disabled (for backwards compatibility). The problem here is that when host name verification is disabled, certificate verification is disabled as well (unless explicitly requested using IO::Socket::SSL's SSL_verify_mode). One such example is the use of HTTPS_CA_* environment variables. LWP::UserAgent documentation is scarce and ambiguous in defining whether verify_hostname 0 is supposed to only disable hostname check, or all certificate checks. The code seems to assume all checks are disabled. However, that's not really compatible with the (undocumented) assumption that HTTPS_CA_* environment variables are meant to enable certificate checks and only disable hostname checks. Note that use when certificate is checked without checking hostname is usually insecure, as malicious site can obtain SSL certificate from a trusted CA for a different name and still have it accepted as valid for different host. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=k841EpU7Ms&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
