On Fri, Jul 05, 2013 at 10:20:11AM -0700, Junio C Hamano wrote: > "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> writes: > > > You've covered the STARTTLS case, but not the SSL one right above it. > > Someone using smtps on port 465 will still see the warning. You can > > pass SSL_verify_mode to Net::SMTP::SSL->new just like you pass it to > > start_SSL. > > OK, will a fix-up look like this on top of 1/2 and 2/2? According to IO::Socket::SSL [1], if neither SSL_ca_file nor SSL_ca_path is specified then builtin defaults will be used, so I wonder if we should pass SSL_VERIFY_PEER regardless (possibly with a switch for SSL_VERIFY_NONE if people really need that). [1] http://search.cpan.org/~sullr/IO-Socket-SSL-1.951/lib/IO/Socket/SSL.pm > git-send-email.perl | 39 +++++++++++++++++++++++---------------- > 1 file changed, 23 insertions(+), 16 deletions(-) > > diff --git a/git-send-email.perl b/git-send-email.perl > index 52028ba..3b80340 100755 > --- a/git-send-email.perl > +++ b/git-send-email.perl > @@ -1093,6 +1093,25 @@ sub smtp_auth_maybe { > return $auth; > } > > +# Helper to come up with SSL/TLS certification validation params > +# and warn when doing no verification > +sub ssl_verify_params { > + use IO::Socket::SSL qw(SSL_VERIFY_PEER SSL_VERIFY_NONE); > + > + if (!defined $smtp_ssl_cert_path) { > + $smtp_ssl_cert_path = "/etc/ssl/certs"; > + } > + > + if (-d $smtp_ssl_cert_path) { > + return (SSL_verify_mode => SSL_VERIFY_PEER, > + SSL_ca_path => $smtp_ssl_cert_path); > + } else { > + print STDERR "warning: Using SSL_VERIFY_NONE. " . > + "See sendemail.smtpsslcertpath.\n"; > + return (SSL_verify_mode => SSL_VERIFY_NONE); > + } > +} > + -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html