Bug 745800
Summary: | perl-libwww-perl: add support for setting SSL options in LWP::UserAgent | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Tomas Hoger <thoger> | ||||||||
Component: | perl-libwww-perl | Assignee: | Petr Pisar <ppisar> | ||||||||
Status: | CLOSED ERRATA | QA Contact: | Martin Kyral <mkyral> | ||||||||
Severity: | medium | Docs Contact: | Lenka Špačková <lkuprova> | ||||||||
Priority: | high | ||||||||||
Version: | 6.1 | CC: | dkutalek, jorton, jplesnik, mkyral, ppisar, psabata, salmy, tigeli | ||||||||
Target Milestone: | rc | Keywords: | FutureFeature, Patch | ||||||||
Target Release: | --- | ||||||||||
Hardware: | Unspecified | ||||||||||
OS: | Unspecified | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | perl-libwww-perl-5.833-3.el6 | Doc Type: | Release Note | ||||||||
Doc Text: |
LWP now supports host name and certificate verification
Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the *LWP::UserAgent* Perl module to verify the identity of HTTPS servers. To enable the verification, make sure the *IO::Socket::SSL* Perl module is installed and the `PERL_LWP_SSL_VERIFY_HOSTNAME` environment variable set to `1` or that the application is modified to set the `ssl_opts` option correctly. See *LWP::UserAgent* POD for more details.
|
Story Points: | --- | ||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2016-05-10 21:04:52 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Bug Depends On: | |||||||||||
Bug Blocks: | 947781, 1159824, 1254457, 1269913 | ||||||||||
Attachments: |
|
Description
Tomas Hoger
2011-10-13 13:15:46 UTC
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. If you would like it considered as an exception in the current release, please ask your support representative. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. It has been proposed for the next release. If you would like it considered as an exception in the current release, please ask your support representative. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. Created attachment 1103499 [details]
Back-port ssl_opts to libwww-perl-5.833
Created attachment 1103500 [details]
Disable hostname verification by default for 5.833
How to test: (1) Prepare a private key and two X.509 certificates. One issued for a hostname you will connect to, another one for something else. (2) Start an HTTPS server with the certificate. (3) Perform an HTTP request with an LWP::UserAgent client to the server. (4) Observe the status report of the LWP::UserAgent client. Before: The client performs the request regardless of the server certificate. After: The client performs the request regardless of the server certificate. However, if PERL_LWP_SSL_VERIFY_HOSTNAME environment variable is set to "1", the request will be aborted if the server's certificate is not trusted or is issued for non-matching certificate. Repeat the test with various combinations of server's certificate, authority's certificate, and PERL_LWP_SSL_VERIFY_HOSTNAME value. Please note that default behaviour must match PERL_LWP_SSL_VERIFY_HOSTNAME=0 behaviour and that PERL_LWP_SSL_VERIFY_HOSTNAME=1 is supported only if IO::Socket::SSL Perl module is installed. Created attachment 1103562 [details]
Test case
You can use this script and the certificates and set various environment variables to perform the testing.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-0817.html You know that this "enhancement" also broke both $ENV{HTTPS_CERT_FILE} and $ENV{HTTPS_KEY_FILE} usage with the SSL-library defaulting to IO::Socket:SSL instead of Net:SSL. You should have implemented full compability between the old and new before releasing this "fix". You can export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL to use Net:SSL and its HTTPS_ environment variables. (In reply to Petr Pisar from comment #19) > You can export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL to use Net:SSL and > its HTTPS_ environment variables. Sure and it is not like I could not fix the issue itself but the thing was that the update actually broke the API currently in use and there were no warnings in the release notes that this would happen. Anyway, there is actually a bug about this issue https://bugzilla.redhat.com/show_bug.cgi?id=1365490 and we should probably continue discussion on there. |