Hi, >> are there any chances to get the new libio-socket-ssl-perl from sid into >> lenny before release? After which period of time of being in sid do >> packages automatically enter testing? > > I'm afraid the chances are very low. > > Lenny is frozen since 27th July [0], which means that packages move from > sid to lenny only after a manual approval by the release team. The > current guidelines for freeze exception from 1st December can be > found at [0] and [1], and I think that libio-socket-ssl-perl does not > qualify [2]. Well, the changes in IO::Socket::SSL really are quite security-related. If you have a look at e.g. the Net::LDAP documentation, it says: === First of all, LDAPS can solve the problem of verifying that you are connected to the correct server. When the client and server connect, they perform a special SSL 'handshake', part of which involves the server and client exchanging cryptographic keys, which are described using X.509 certificates. If the client wishes to confirm that it is connected to the correct server, all it needs to do is verify the server's certificate which is sent in the handshake. This is done in two ways: 1. check that the certificate is signed (trusted) by someone that you trust, and that the certificate hasn't been revoked. For instance, the server's certificate may have been signed by Verisign (www.verisign.com), and you decide that you want to trust Verisign to sign legitimate certificates. 2. check that the least-significant cn RDN in the server's certificate's DN is the fully-qualified hostname of the hostname that you connected to when creating the LDAPS object. For example if the server is <cn=ldap.example.com,ou=My department,o=My company>, then the RDN to check is cn=ldap.example.com. You can do this by using the cafile and capath options when creating a Net::LDAPS object, and by setting the verify option to 'require'. === Without the new version of IO::Socket::SSL the last sentence is WRONG: Setting the verify option to 'require' just makes sure that point 1 is checked correctly. BUT: There is absolutely no code in Net::LDAP that checks point 2! Even worse: As a user of Net::LDAP you really have no chance at all to check the hostname yourself, as there is no hook in the code which would enable you to do so. The new version of IO::Socket::SSL includes the neccessary code to enable other modules to verify the hostname. If a module does not do this, IO::Socket::SSL falls back to the default of verifying the hostname if 'require' is on - so it does exactly what the Net::LDAP documentation states. This is of course at first a bug in Net::LDAP (either in the documentation or in the implementation), but IO::Socket::SSL does help other modules a lot by implementing the neccessary code for hostname verification. If you do not think that you can help, who should I talk to about this matter? This is definitely not only about Net::LDAP but about every single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP, LDAP, IMAP, POP, SMTP, ...). Thank you, Christopher -- ====================================================== Dipl.-Ing. Christopher Odenbach Zentrum fuer Informations- und Medientechnologien Universitaet Paderborn Raum N5.122 odenbach@uni-paderborn.de Tel.: +49 5251 60 5315 ======================================================
Attachment:
signature.asc
Description: OpenPGP digital signature