oss-sec mailing list archives
Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 02 May 2014 14:54:33 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 Package: libwww-perl Version: 6.06-1 Tags: security Usertags: serious If LWP uses IO::Socket::SSL as SSL socket class (this is the default), setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!) server cerificate verification: ... So the intention was to disable only hostname verification, for compatibility with Crypt::SSLeay (why?!), but the effect is that the SSL_verify_mode is set to 0. So this probably needs a CVE. My thought being that you meant to disable hostname checks, and ended up disabling all verification, so I guess it's a fine line since disabling host name checks means an attacker can use any C you trust to get a cert for a hostname they control and mitm you, but if you are using an internal CA this would allow a mitm that was not possible without this flaw, so there can be a violation in a relatively not completely insane setup. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTZAYJAAoJEBYNRVNeJnmT9JsP/0qjZzubb5c4f05KTwEIlail Oay7Z2eYXSipi3rg1M4JNHUXeE3M9bXp0IyUsmvfmS59EcHyC8tZN3IERLymSpvT gfNoLKFYipUv/Dgu0bdt5HM3tKhl/pCHsJPvfoCnZR7bh8pa17XbckpmxwIajwqh vZ6K6gI9SrlNycNUdo920/kstIkdc/FdpEpkRvRMOsMTD65l+3VMGKEGb55ekqqd 2yUZnw+Qza1frhFg6cSeeP/liyDijRVH4lbCSkjXdWy8gedHLpGreNsC7jgsckRQ qlzKWiJbfRXSySx0OuczKFFVRWELaSmOThTEFsY1bDoM8GvPcJjbdZDVY7Yg62BX HtlzshpOT7es1egJP5g88XvyJdxIu9j6UgTYlhvF017ZSVb5v6YhxaPN5EUVNTOk EK3UobAdSokiJtLgZ4BSIQ41EdPco9BbSpd31/iPyTU733jkITSqRmMrYoCZyMnk eO1yNrX4QdyaIhAnbLhvCyGVOIi/ytjCIBGwjw/Prx1G2gTy67yH2eYFyIOGpTbb EvdVDm2tzw4l5lC4SUwKNvVWawtbtoeCp8nAI9KzTG7uL97GrLmku3WnoCe7zsKz BzlXHWUshR3PcaDS7PeyfWlke+pt1KeSdj97pBvLnyWbAQZE7sLHCDnuUyCtFg6K jPcqe01NT37NR3QOMZtY =APK7 -----END PGP SIGNATURE-----
Current thread:
- Debian Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL Kurt Seifried (May 02)