[Bug 509819] perl-IO-Socket-SSL: incorrect checking of certificate hostnames
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jul 24 14:35:56 UTC 2009
Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509819
--- Comment #8 from Tomas Hoger <thoger at redhat.com> 2009-07-24 10:35:54 EDT ---
(In reply to comment #6)
> For RHEL5, do we want to add hostname verification to the older version?
I think if that is requested by the users, it can be done, but I don't think
this should be done under / because of this bug.
> If someone is relying on the *lack* of hostname verification, any app using
> this perl module could possibly break in a customer environment. That would
> be a bad thing for an update to do. Conversely, having hostname support
> increases security.
As far as I can see, risks should be rather low. As name verification only
happens when it's requested explicitly by the application using the module
(either via verify_hostname method or SSL_verifycn_* options to new()). Old
code should work with new module versions without regressions related to this,
but just a module version update will not automagically add hostname
verification to apps that don't do it today.
> Personally, I think that because RHEL5 and earlier didn't have support for it,
> *this* issue isn't a security issue to affect them.
Agree. If someone needs a hostname verification support in RHEL5 packages, it
should be requested via RFE bug.
Additionally, I had a look at applications using IO::Socket::SSL in RHEL5.
There are only 2 components in the distribution:
- spamassassin - Used for optional SSL encryption for spamd <-> spamc
communication. Only used on server side (spamd), as client (spamc) is written
in C and is using OpenSSL directly. Hence this feature is irrelevant to
spamassassin.
- perl-LDAP - This module does not have support for hostname verification, not
even in the latest git version to date. Hence without further modifications of
perl-LDAP itself, it won't benefit from hostname verification support in
IO::Socket::SSL.
--
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the Fedora-perl-devel-list
mailing list