Enforced use of Crypt::SSLeay for https allows easy Man-In-The-Middle attacks

[noxxi]

Hi, I'm the maintainer of IO::Socket::SSL and stumbled over this module, which claims to "protects you from harm" compared with the normal LWP. Unfortunately, this module enforces the use of Crypt::SSLeay for https instead of IO::Socket::SSL and thus opens the user to more harm compared to normal LWP: Crypt::SSLeay does not now how to verify the host name inside the certificate and thus it is easy to mount a man-in-the-middle attack by simple using any certificate signed by a trusted CA, no matter if the host name matches.

I'm aware that the change was done to fix #4, but I think you fixed the problem the wrong way. #4 is caused by explicitly setting the socket non-blocking to handle timeouts, but then not dealing correctly with non-blocking in the https part. By using Crypt::SSLeay you simply hide the problem by switching to a module which does not have proper non-blocking support (it will busy-loop in read until it gets data instead of returning EAGAIN).

If you need help in fixing the issue please let me know.

Regards, Steffen

[wesyoung]

i haven't had time to look at this; but a few fixes came in; mind taking a look (if you have the cycles) ?

[wesyoung]

(i think this entire problem needs to be re-thought out). mostly i just need a way to handle timeouts (at-least at the time; lwp didn't give a good way of forcefully timing out (eg: release this connection no-matter-what if it goes for more than 300s, as a way to avoid tar-pits); but haven't looked at it in a while). any suggestions?