search

libwww-perl / LWP-Protocol-https

Provide https support for LWP::UserAgent
https://metacpan.org/pod/LWP::Protocol::https
Other
16 stars 35 forks source link

LWP::Protocol::https/_check_sock() has insufficient certificate checking [rt.cpan.org #43733] #40

Open oalders opened 7 years ago

oalders commented 7 years ago

Migrated from rt.cpan.org#43733 (status was 'open')

Requestors:

From antonio@dyne.org on 2009-02-28 12:30:17:

Forwarding from http://bugs.debian.org/507402
---

Forwarded from Ubuntu #198874 
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):

The reporter states:
"See LWP::Protocol::https class, the _check_sock function:

we don't execute $sock->get_peer_verify before checking the cert's 
subject against $req->header("If-SSL-Cert-Subject").

$sock->get_peer_verify gets called only *after* we have pushed all of 
our request to the server (possibly containing critical data including 
passwords) -- that is BAAAAD. Basically, all of that renders SSL support 
in LWP::UserAgent not only meaningless, but also gives the user 
impression of security, which is not only bad, but almost a malicious 
thing to do.

More experimentation has shown that this only happens when doing "use 
IO::Socket::SSL". Otherwise, Crypt::SSLeay is used and that one shows 
the opposite behaviour: unverified server certs are NEVER accepted. I 
don't even know how to set the verification level und neither seems to 
be documented what exactly gets verified.... (server name at least?? How 
about redirects?....)

Please fix this and/or report it upstream because I consider it a major 
issue."

From ether@cpan.org on 2017-01-25 21:41:06:

migrated queues: libwww-perl -> LWP-Protocol-https

From 507402@bugs.debian.org on 2017-01-25 22:16:28:

Thank you for the additional information you have supplied regarding
this Bug report.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>

If you wish to submit further information on this problem, please
send it to 507402@bugs.debian.org.

Please do not send mail to owner@bugs.debian.org unless you wish
to report a problem with the Bug-tracking system.

-- 
507402: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=507402
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems