John Keeping <j...@keeping.me.uk> writes:
> On Fri, Jul 05, 2013 at 10:20:11AM -0700, Junio C Hamano wrote:
>> "brian m. carlson" <sand...@crustytoothpaste.net> writes:
>>
>> > You've covered the STARTTLS case, but not the SSL one right above it.
>> > Someone using smtps on port 465 will still see the warning. You can
>> > pass SSL_verify_mode to Net::SMTP::SSL->new just like you pass it to
>> > start_SSL.
>>
>> OK, will a fix-up look like this on top of 1/2 and 2/2?
>
> According to IO::Socket::SSL [1], if neither SSL_ca_file nor SSL_ca_path
> is specified then builtin defaults will be used, so I wonder if we
> should pass SSL_VERIFY_PEER regardless (possibly with a switch for
> SSL_VERIFY_NONE if people really need that).
>
> [1] http://search.cpan.org/~sullr/IO-Socket-SSL-1.951/lib/IO/Socket/SSL.pm
Interesting. That frees us from saying "we assume /etc/ssl/cacerts
is the default location, and let the users override it".
To help those "I do not want verification because I know my server
does not present valid certificate, I know my server is internal and
trustable, and I do not bother to fix it" people, we can let them
specify an empty string (or any non-directory) as the CACertPath,
and structure the code like so?
if (defined $smtp_ssl_cert_path && -d $smtp_ssl_cert_path) {
return (SSL_verify_mode => SSL_VERIFY_PEER,
SSL_ca_path => $smtp_ssl_cert_path);
} elsif (defined $smtp_ssl_cert_path) {
return (SSL_verify_mode => SSL_VERIFY_NONE);
} else {
return (SSL_verify_mode => SSL_VERIFY_PEER);
}
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
