Package: liblwp-protocol-https-perl
Version: 6.06-2
Tags: security

This is follow up to bug #746579. When you set HTTPS_CA_DIR or HTTPS_CA_FILE in the environment, and use IO::Socket::SSL as the TLS backend (which is the default), LWP does not verify that the hostname matches the certificate's CN or subjectAltName:

$ HEAD https://5.153.231.4/ | head -n1
500 Can't connect to 5.153.231.4:443

$ HTTPS_CA_DIR=/etc/ssl/certs/ HEAD https://5.153.231.4/ | head -n1
200 OK


As I explained in the other bug, this is done for compatiblity with Crypt::SSLeay, but:

* There's nothing in the names of HTTPS_CA_* that would suggests that these variables are specific to Crypt::SSLeay, or LWP, or even Perl. So people might have them set in their environment for purposes unrelated to Crypt::SSLeay.

* I suspect that these days many users of LWP don't even know what Crypt::SSLeay is.

* There is nothing in the LWP documentation that suggests that setting HTTPS_CA_* might have negative security effect.


-- System Information:
Debian Release: stretch/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 4.0.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages liblwp-protocol-https-perl depends on:
ii  ca-certificates        20150426
ii  libio-socket-ssl-perl  2.016-1
ii  libnet-http-perl       6.07-1
ii  libwww-perl            6.08-1
ii  perl                   5.20.2-6

--
Jakub Wilk


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to