Package: libwww-perl
Version: 5.820-1
Forwarded from Ubuntu #198874
(https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/198874):
The reporter states:
See LWP::Protocol::https class, the _check_sock function:
we don't execute $sock-get_peer_verify before checking the cert's
subject against $req-header(If-SSL-Cert-Subject).
$sock-get_peer_verify gets called only *after* we have pushed all of
our request to the server (possibly containing critical data including
passwords) -- that is BD. Basically, all of that renders SSL support
in LWP::UserAgent not only meaningless, but also gives the user
impression of security, which is not only bad, but almost a malicious
thing to do.
More experimentation has shown that this only happens when doing use
IO::Socket::SSL. Otherwise, Crypt::SSLeay is used and that one shows
the opposite behaviour: unverified server certs are NEVER accepted. I
don't even know how to set the verification level und neither seems to
be documented what exactly gets verified (server name at least?? How
about redirects?)
Please fix this and/or report it upstream because I consider it a major
issue.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
