Re: libio-socket-ssl-perl_1.15 in lenny?
gregor herrmann wrote:
> On Fri, 19 Sep 2008 14:19:57 +0200, Christopher Odenbach wrote:
>
> [Full quote for the release team.]
>
>>>> are there any chances to get the new libio-socket-ssl-perl from sid into
>>>> lenny before release? After which period of time of being in sid do
>>>> packages automatically enter testing?
>>> I'm afraid the chances are very low.
>>> Lenny is frozen since 27th July [0], which means that packages move from
>>> sid to lenny only after a manual approval by the release team. The
>>> current guidelines for freeze exception from 1st December can be
>>> found at [0] and [1], and I think that libio-socket-ssl-perl does not
>>> qualify [2].
>> Well, the changes in IO::Socket::SSL really are quite security-related.
>> If you have a look at e.g. the Net::LDAP documentation, it says:
>>
>> ===
>> First of all, LDAPS can solve the problem of verifying that you are
>> connected to the correct server. When the client and server connect,
>> they perform a special SSL 'handshake', part of which involves the
>> server and client exchanging cryptographic keys, which are described
>> using X.509 certificates. If the client wishes to confirm that it is
>> connected to the correct server, all it needs to do is verify the
>> server's certificate which is sent in the handshake. This is done in two
>> ways:
>>
>> 1. check that the certificate is signed (trusted) by someone that you
>> trust, and that the certificate hasn't been revoked. For instance, the
>> server's certificate may have been signed by Verisign
>> (www.verisign.com), and you decide that you want to trust Verisign to
>> sign legitimate certificates.
>> 2. check that the least-significant cn RDN in the server's
>> certificate's DN is the fully-qualified hostname of the hostname that
>> you connected to when creating the LDAPS object. For example if the
>> server is <cn=ldap.example.com,ou=My department,o=My company>, then the
>> RDN to check is cn=ldap.example.com.
>>
>> You can do this by using the cafile and capath options when creating a
>> Net::LDAPS object, and by setting the verify option to 'require'.
>> ===
>>
>> Without the new version of IO::Socket::SSL the last sentence is WRONG:
>> Setting the verify option to 'require' just makes sure that point 1 is
>> checked correctly. BUT: There is absolutely no code in Net::LDAP that
>> checks point 2! Even worse: As a user of Net::LDAP you really have no
>> chance at all to check the hostname yourself, as there is no hook in the
>> code which would enable you to do so.
>>
>> The new version of IO::Socket::SSL includes the neccessary code to
>> enable other modules to verify the hostname. If a module does not do
>> this, IO::Socket::SSL falls back to the default of verifying the
>> hostname if 'require' is on - so it does exactly what the Net::LDAP
>> documentation states.
>>
>> This is of course at first a bug in Net::LDAP (either in the
>> documentation or in the implementation), but IO::Socket::SSL does help
>> other modules a lot by implementing the neccessary code for hostname
>> verification.
>
> I see your point.
>
>> If you do not think that you can help, who should I talk to about this
>> matter? This is definitely not only about Net::LDAP but about every
>> single perl module that uses SSL by using IO::Socket::SSL (e.g. LWP,
>> LDAP, IMAP, POP, SMTP, ...).
>
> It's the decision of the release team, therefore I'm cc'ing them and
> ask for their opinion instead of guessing what they may think :)
>
> (Thread starting at http://lists.debian.org/debian-perl/2008/09/msg00121.html )
Please provide a diff with all the whitespace changes in SSL.pm stripped.
Cheers
Luk
Reply to: