On Fri, 19 Sep 2008 14:19:57 +0200, Christopher Odenbach wrote: [Full quote for the release team.] > >> are there any chances to get the new libio-socket-ssl-perl from sid into > >> lenny before release? After which period of time of being in sid do > >> packages automatically enter testing? > > I'm afraid the chances are very low. > > Lenny is frozen since 27th July [0], which means that packages move from > > sid to lenny only after a manual approval by the release team. The > > current guidelines for freeze exception from 1st December can be > > found at [0] and [1], and I think that libio-socket-ssl-perl does not > > qualify [2]. > > Well, the changes in IO::Socket::SSL really are quite security-related. > If you have a look at e.g. the Net::LDAP documentation, it says: > > === > First of all, LDAPS can solve the problem of verifying that you are > connected to the correct server. When the client and server connect, > they perform a special SSL 'handshake', part of which involves the > server and client exchanging cryptographic keys, which are described > using X.509 certificates. If the client wishes to confirm that it is > connected to the correct server, all it needs to do is verify the > server's certificate which is sent in the handshake. This is done in two > ways: > > 1. check that the certificate is signed (trusted) by someone that you > trust, and that the certificate hasn't been revoked. For instance, the > server's certificate may have been signed by Verisign > (www.verisign.com), and you decide that you want to trust Verisign to > sign legitimate certificates. > 2. check that the least-significant cn RDN in the server's > certificate's DN is the fully-qualified hostname of the hostname that > you connected to when creating the LDAPS object. For example if the > server is <cn=ldap.example.com,ou=My department,o=My company>, then the > RDN to check is cn=ldap.example.com. > > You can do this by using the cafile and capath options when creating a > Net::LDAPS object, and by setting the verify option to 'require'. > === > > Without the new version of IO::Socket::SSL the last sentence is WRONG: > Setting the verify option to 'require' just makes sure that point 1 is > checked correctly. BUT: There is absolutely no code in Net::LDAP that > checks point 2! Even worse: As a user of Net::LDAP you really have no > chance at all to check the hostname yourself, as there is no hook in the > code which would enable you to do so. > > The new version of IO::Socket::SSL includes the neccessary code to > enable other modules to verify the hostname. If a module does not do > this, IO::Socket::SSL falls back to the default of verifying the > hostname if 'require' is on - so it does exactly what the Net::LDAP > documentation states. > > This is of course at first a bug in Net::LDAP (either in the > documentation or in the implementation), but IO::Socket::SSL does help > other modules a lot by implementing the neccessary code for hostname > verification. I see your point. > If you do not think that you can help, who should I talk to about this > matter? This is definitely not only about Net::LDAP but about every > single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP, > LDAP, IMAP, POP, SMTP, ...). It's the decision of the release team, therefore I'm cc'ing them and ask for their opinion instead of guessing what they may think :) (Thread starting at http://lists.debian.org/debian-perl/2008/09/msg00121.html ) Cheers, gregor -- .''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/ `- NP: 90's Dance: Aqua - Barbie Girl
Attachment:
signature.asc
Description: Digital signature