Hi,
>> are there any chances to get the new libio-socket-ssl-perl from sid into
>> lenny before release? After which period of time of being in sid do
>> packages automatically enter testing?
>
> I'm afraid the chances are very low.
>
> Lenny is frozen since 27th July [0], which means that packages move from
> sid to lenny only after a manual approval by the release team. The
> current guidelines for freeze exception from 1st December can be
> found at [0] and [1], and I think that libio-socket-ssl-perl does not
> qualify [2].
Well, the changes in IO::Socket::SSL really are quite security-related.
If you have a look at e.g. the Net::LDAP documentation, it says:
===
First of all, LDAPS can solve the problem of verifying that you are
connected to the correct server. When the client and server connect,
they perform a special SSL 'handshake', part of which involves the
server and client exchanging cryptographic keys, which are described
using X.509 certificates. If the client wishes to confirm that it is
connected to the correct server, all it needs to do is verify the
server's certificate which is sent in the handshake. This is done in two
ways:
1. check that the certificate is signed (trusted) by someone that you
trust, and that the certificate hasn't been revoked. For instance, the
server's certificate may have been signed by Verisign
(www.verisign.com), and you decide that you want to trust Verisign to
sign legitimate certificates.
2. check that the least-significant cn RDN in the server's
certificate's DN is the fully-qualified hostname of the hostname that
you connected to when creating the LDAPS object. For example if the
server is <cn=ldap.example.com,ou=My department,o=My company>, then the
RDN to check is cn=ldap.example.com.
You can do this by using the cafile and capath options when creating a
Net::LDAPS object, and by setting the verify option to 'require'.
===
Without the new version of IO::Socket::SSL the last sentence is WRONG:
Setting the verify option to 'require' just makes sure that point 1 is
checked correctly. BUT: There is absolutely no code in Net::LDAP that
checks point 2! Even worse: As a user of Net::LDAP you really have no
chance at all to check the hostname yourself, as there is no hook in the
code which would enable you to do so.
The new version of IO::Socket::SSL includes the neccessary code to
enable other modules to verify the hostname. If a module does not do
this, IO::Socket::SSL falls back to the default of verifying the
hostname if 'require' is on - so it does exactly what the Net::LDAP
documentation states.
This is of course at first a bug in Net::LDAP (either in the
documentation or in the implementation), but IO::Socket::SSL does help
other modules a lot by implementing the neccessary code for hostname
verification.
If you do not think that you can help, who should I talk to about this
matter? This is definitely not only about Net::LDAP but about every
single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP,
LDAP, IMAP, POP, SMTP, ...).
Thank you,
Christopher
--
======================================================
Dipl.-Ing. Christopher Odenbach
Zentrum fuer Informations- und Medientechnologien
Universitaet Paderborn
Raum N5.122
odenbach@uni-paderborn.de
Tel.: +49 5251 60 5315
======================================================
Attachment:
signature.asc
Description: OpenPGP digital signature