On Fri, 19 Sep 2008 14:19:57 +0200, Christopher Odenbach wrote:
[Full quote for the release team.]
> >> are there any chances to get the new libio-socket-ssl-perl from sid into
> >> lenny before release? After which period of time of being in sid do
> >> packages automatically enter testing?
> > I'm afraid the chances are very low.
> > Lenny is frozen since 27th July [0], which means that packages move from
> > sid to lenny only after a manual approval by the release team. The
> > current guidelines for freeze exception from 1st December can be
> > found at [0] and [1], and I think that libio-socket-ssl-perl does not
> > qualify [2].
>
> Well, the changes in IO::Socket::SSL really are quite security-related.
> If you have a look at e.g. the Net::LDAP documentation, it says:
>
> ===
> First of all, LDAPS can solve the problem of verifying that you are
> connected to the correct server. When the client and server connect,
> they perform a special SSL 'handshake', part of which involves the
> server and client exchanging cryptographic keys, which are described
> using X.509 certificates. If the client wishes to confirm that it is
> connected to the correct server, all it needs to do is verify the
> server's certificate which is sent in the handshake. This is done in two
> ways:
>
> 1. check that the certificate is signed (trusted) by someone that you
> trust, and that the certificate hasn't been revoked. For instance, the
> server's certificate may have been signed by Verisign
> (www.verisign.com), and you decide that you want to trust Verisign to
> sign legitimate certificates.
> 2. check that the least-significant cn RDN in the server's
> certificate's DN is the fully-qualified hostname of the hostname that
> you connected to when creating the LDAPS object. For example if the
> server is <cn=ldap.example.com,ou=My department,o=My company>, then the
> RDN to check is cn=ldap.example.com.
>
> You can do this by using the cafile and capath options when creating a
> Net::LDAPS object, and by setting the verify option to 'require'.
> ===
>
> Without the new version of IO::Socket::SSL the last sentence is WRONG:
> Setting the verify option to 'require' just makes sure that point 1 is
> checked correctly. BUT: There is absolutely no code in Net::LDAP that
> checks point 2! Even worse: As a user of Net::LDAP you really have no
> chance at all to check the hostname yourself, as there is no hook in the
> code which would enable you to do so.
>
> The new version of IO::Socket::SSL includes the neccessary code to
> enable other modules to verify the hostname. If a module does not do
> this, IO::Socket::SSL falls back to the default of verifying the
> hostname if 'require' is on - so it does exactly what the Net::LDAP
> documentation states.
>
> This is of course at first a bug in Net::LDAP (either in the
> documentation or in the implementation), but IO::Socket::SSL does help
> other modules a lot by implementing the neccessary code for hostname
> verification.
I see your point.
> If you do not think that you can help, who should I talk to about this
> matter? This is definitely not only about Net::LDAP but about every
> single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP,
> LDAP, IMAP, POP, SMTP, ...).
It's the decision of the release team, therefore I'm cc'ing them and
ask for their opinion instead of guessing what they may think :)
(Thread starting at http://lists.debian.org/debian-perl/2008/09/msg00121.html )
Cheers,
gregor
--
.''`. Home: http://info.comodo.priv.at/{,blog/} / GPG Key ID: 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT, SPI Inc., fellow of FSFE | http://got.to/quote/
`- NP: 90's Dance: Aqua - Barbie Girl
Attachment:
signature.asc
Description: Digital signature