oss-sec mailing list archives

Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

From: Salvatore Bonaccorso <carnil () debian org>
Date: Sun, 4 May 2014 08:26:25 +0200

Hi,

On Fri, May 02, 2014 at 02:54:33PM -0600, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579

Package: libwww-perl
Version: 6.06-1
Tags: security
Usertags: serious

If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
server cerificate verification:


An update on this issue for the affected versions:

Steffen Ullrich proposed a fix for this in [1]. The issue seem to be
introduced in LWP::Protocol::https in commit[2], which is version
6.04.

 [1] https://github.com/libwww-perl/lwp-protocol-https/pull/14
 [2] https://github.com/dagolden/lwp-protocol-https/commit/bcc46ce2dab53d2e2baa583f2243d6fc7d36dcc8

Regards,
Salvatore

Current thread:

Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Kurt Seifried (May 02)
- Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Salvatore Bonaccorso (May 03)
- Re: Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL cve-assign (May 06)