* Jakub Wilk <jw...@debian.org>, 2014-05-02, 15:44:
So the intention was to disable only hostname verification, for
compatibility with Crypt::SSLeay (why?!), but the effect is that the
SSL_verify_mode is set to 0.
To elaborate a bit on my "why?!":
* There's nothing in the names of HTTPS_CA_* that would suggests that
these variables are specific to Crypt::SSLeay, or LWP, or even Perl. So
people might have them set in their environment for purposes unrelated
to Crypt::SSLeay.
* I suspect that these days many users of LWP don't even know what
Crypt::SSLeay is.
* There is nothing in the LWP documentation that suggests that setting
HTTPS_CA_* might have negative security effect.
If for some reason (I can't see such reason, but maybe I'm missing
something) disabling hostname verification is desirable when HTTPS_CA_*
is set, then it should be prominently documented.
Regarding the proposed patch, I have doubts whether it is correct.
My understanding of the documentation[0] is that, contrary to what the
name of the option suggests, verify_hostname is supposed to
enable/disable both certificate verification and that the certificate
matches hostname. But after this patch applied, it will affect only the
latter.
[0] “When TRUE LWP will for secure protocol schemes ensure it connects
to servers that have a valid certificate matching the expected hostname.
If FALSE no checks are made and you can’t be sure that you communicate
with the expected peer.”
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
