Package: libio-socket-ssl-perl
Version: 1.992-1
The documentation for SSL_ca* says: “If neither SSL_ca, nor SSL_ca_file
or SSL_ca_path are set it will use "default_ca()" to determine the
user-set or system defaults.”
But in reality, IO::Socket::SSL calls default_ca() only once, upon
initialization, so default_ca() is never be used to determine user-set
defaults.
$ perl test-default-ca.pl
Eeek! Connected to www.debian.org with default_ca() = {
'SSL_ca_file' =>
'/usr/share/ca-certificates/mozilla/China_Internet_Network_Information_Center_EV_Certificates_Root.crt'
}
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.12.0 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.63-1
ii netbase 5.2
ii perl 5.18.2-4
Versions of packages libio-socket-ssl-perl recommends:
ii libio-socket-inet6-perl 2.72-1
ii libio-socket-ip-perl 0.29-1
ii libnet-idn-encode-perl 2.100-2
ii libsocket6-perl 0.25-1
ii liburi-perl 1.60-1
ii perl 5.18.2-4
ii perl-base [libsocket-perl] 5.18.2-4
Versions of packages libio-socket-ssl-perl suggests:
ii ca-certificates 20140325
-- no debconf information
--
Jakub Wilk
#!/usr/bin/perl
use strict;
use warnings;
use Data::Dumper;
use IO::Socket::SSL;
my $host = 'www.debian.org';
my $ca = 'China_Internet_Network_Information_Center_EV_Certificates_Root';
# definitely NOT the www.debian.org's CA ---^
my $cafile = "/usr/share/ca-certificates/mozilla/$ca.crt";
-r $cafile or die "$cafile: $!";
my %default_ca = IO::Socket::SSL::default_ca($cafile);
my $sock = IO::Socket::SSL->new(
PeerAddr => $host,
PeerPort => 'https',
SSL_verify_mode => SSL_VERIFY_PEER,
SSL_verifycn_scheme => 'http',
) or die IO::Socket::SSL::errstr;
$Data::Dumper::Terse = 1;
print "Eeek! Connected to $host with default_ca() = ", Dumper(\%default_ca);
$sock->close();
