Hi Jakub, On Sun, May 04, 2014 at 10:50:24AM +0200, Jakub Wilk wrote: > * Jakub Wilk <jw...@debian.org>, 2014-05-02, 15:44: > >So the intention was to disable only hostname verification, for > >compatibility with Crypt::SSLeay (why?!), but the effect is that > >the SSL_verify_mode is set to 0. > > To elaborate a bit on my "why?!": > > * There's nothing in the names of HTTPS_CA_* that would suggests > that these variables are specific to Crypt::SSLeay, or LWP, or even > Perl. So people might have them set in their environment for > purposes unrelated to Crypt::SSLeay. > > * I suspect that these days many users of LWP don't even know what > Crypt::SSLeay is. > > * There is nothing in the LWP documentation that suggests that > setting HTTPS_CA_* might have negative security effect. > > If for some reason (I can't see such reason, but maybe I'm missing > something) disabling hostname verification is desirable when > HTTPS_CA_* is set, then it should be prominently documented. > > > Regarding the proposed patch, I have doubts whether it is correct. > My understanding of the documentation[0] is that, contrary to what > the name of the option suggests, verify_hostname is supposed to > enable/disable both certificate verification and that the > certificate matches hostname. But after this patch applied, it will > affect only the latter. > > > [0] “When TRUE LWP will for secure protocol schemes ensure it > connects to servers that have a valid certificate matching the > expected hostname. If FALSE no checks are made and you can’t be sure > that you communicate with the expected peer.”
Thanks for elaborating this and taking time. I have not yet uploaded a package with the commit applied. There is some discussion going on the issue tracker at [1], which clarification from upstream of IO::Socket::SSL at [2]. [1] https://github.com/libwww-perl/lwp-protocol-https/pull/14 [2] https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42160001 Regards, Salvatore -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
