On Fri, Jul 05, 2013 at 05:35:47PM +0530, Ramkumar Ramachandra wrote:
> @@ -1193,13 +1197,23 @@ X-Mailer: git-send-email $gitversion
> Debug => $debug_net_smtp);
> if ($smtp_encryption eq 'tls' && $smtp) {
> require Net::SMTP::SSL;
> - use IO::Socket::SSL qw(SSL_VERIFY_NONE);
> + use IO::Socket::SSL qw(SSL_VERIFY_PEER SSL_VERIFY_NONE);
> $smtp->command('STARTTLS');
> $smtp->response();
> if ($smtp->code == 220) {
> - $smtp = Net::SMTP::SSL->start_SSL($smtp,
> - SSL_verify_mode => SSL_VERIFY_NONE)
> - or die "STARTTLS failed! ".$smtp->message;
> + # Attempt to use a ca-certificate by default
> + $smtp_ssl_cert_path |= "/etc/ssl/certs";
> + if (-d $smtp_ssl_cert_path) {
> + $smtp = Net::SMTP::SSL->start_SSL($smtp,
> + SSL_verify_mode => SSL_VERIFY_PEER,
> + SSL_ca_path => $smtp_ssl_cert_path)
> + or die "STARTTLS failed! ".$smtp->message;
> + } else {
> + print STDERR "warning: Using SSL_VERIFY_NONE. See sendemail.smtpsslcertpath.\n";
> + $smtp = Net::SMTP::SSL->start_SSL($smtp,
> + SSL_verify_mode => SSL_VERIFY_NONE)
> + or die "STARTTLS failed! ".$smtp->message;
> + }
You've covered the STARTTLS case, but not the SSL one right above it.
Someone using smtps on port 465 will still see the warning. You can
pass SSL_verify_mode to Net::SMTP::SSL->new just like you pass it to
start_SSL.
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
Attachment:
signature.asc
Description: Digital signature