New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change verify_SSL default to 1, add ENV var to enable insecure default [CVE-2023-31486] #153
Conversation
6d4412c
to
55814e5
Compare
55814e5
to
bc42ba6
Compare
d06ea2f
to
bd1a9e9
Compare
I don't love the name of the environment variable. If it's going to override the choice of whatever code is using HTTP::Tiny, rather than just changing the default, it should be more explicit about that. |
@haarg See my comment from the related issue. I feel it's fairly important for an environment variable to exist so that we provide an escape hatch for users surprised by these changes who suddenly discover they don't have a working trust store. For comparison, LWP::UserAgent uses an environment variable |
bd1a9e9
to
5786592
Compare
Both of these environment variables set defaults. They do not override an explicit setting by the user of the library. |
Having the environment variable affect the actual setting, overriding explicit requests from the user, seems odd. I would have thought, instead, we'd say something like: $default_verify
= length $ENV{PERL_HTTP_TINY_VERIFY_CERTIFICATES}
? !! $ENV{PERL_HTTP_TINY_VERIFY_CERTIFICATES}
: 1; …and then fall back to that when the user has provided no explicit value in the constructor. |
I would definitely prefer that the environment variable only impact the default. The only catch with that is that because HTTP::Tiny has been acting insecurely until now, many users are already overriding the default to be true. Many of these would probably be fine having an environment variable that could tell them to act insecurely. Possibly this indicates that there should be two environment variables. I'm not entirely sure if that is necessary though. But if there is a variable that overrides the default, it definitely needs to be named appropriately to indicate that it is an override. |
Another way of looking at it is that most frequently, a module author is making the decision of whether to verify SSL, but it is the end user who actually knows if they have a working trust store and the risks involved. It seems right to me that the user's choice should override the module author's choice. We're also mostly considering authors who add Environment that only changes the default is a good pattern for most of the perl https clients, but only because most of them use a default of true and no module authors feel the need to override the default in normal usage. |
Hi |
@rjbs I don't have a strong opinion about the environment variable, other that one should be included in the upstream patch to provide an escape hatch. Would you like me to change the PR to that behavior? I do like |
While we wait for some agreement on the environment variable, and maybe other details, you can check out patches already included in some distributions:
This PR and those patches are based on [PATCH] Enable SSL by default in HTTP::Tiny which was proposed for Debian |
@stigtsp I think changing the default is the correct behavior, and with not much weighing in elsewise, let's do that. I think that |
5786592
to
46575c5
Compare
I've updated the PR with a single commit containing the changes and support for |
dab74c5
to
df3308d
Compare
df3308d
to
247ce9b
Compare
Thanks very much @stigtsp, I am now moving on this. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good. I have some doc/build comments and a readability nit.
247ce9b
to
6cd99f8
Compare
@xdg Thanks for the feedback! I've updated the commit:
A diff between the previous commit and this one should be here: |
6cd99f8
to
bf8c7de
Compare
- Changes the `verify_SSL` default parameter from `0` to `1` Based on patch by Dominic Hargreaves: https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 Fixes CVE-2023-31486 - Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that enables the previous insecure default behaviour if set to `1`. This provides a workaround for users who encounter problems with the new `verify_SSL` default. Example to disable certificate checks: ``` $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl ``` - Updates to documentation: - Describe changing the verify_SSL value - Describe the escape-hatch environment variable - Remove rationale for not enabling verify_SSL - Add missing certificate search paths - Replace "SSL" with "TLS/SSL" where appropriate - Use "machine-in-the-middle" instead of "man-in-the-middle" - Update `210_live_ssl.t` - Use github.com, cpan.org and badssl.com hosts for checking certificates. - Add self signed snake-oil certificate for checking failures rather than bypassing the `SSL_verify_callback` - Test `verify_SSL` parameter in addition to low level SSL_options - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1` behaves as expected against badssl.com - Added `180_verify_SSL.t` - Test that `verify_SSL` default is `1` - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` behaves as expected - Test that using different values for `verify_SSL` and legacy `verify_ssl` doesn't disable cert checks
bf8c7de
to
73bc321
Compare
Question: by introducing the variable, don't you just introduce a fresh (allthough less critical) bypass vulnerability? (We're already building Perl with -DNO_PERL_RAND_SEED in Gentoo, and I see us patching out support for this bypass here in future HTTP::Tiny as well - restoring the current state where the default is unconditionally patched to 1.) |
verify_ssl can be turned off easily in code regardless (and this capability must be present to support local requests with self-signed certs). the only reason for the variable is as an option to keep code running without needing code changes. the insecurity here is the default, which is being changed |
You might as well overlay a local HTTP::Tiny for such fragile code. Similar amount of ENV messing and noone else affected. |
@akhuettel Gentoo didn't patch out |
HTTP-Tiny-0.083-TRIAL.tar.gz released to CPAN. Thanks everyone for contributing to this change! |
HTTP-Tiny-0.084.tar.gz released to CPAN. |
To address #152
Changes the
verify_SSL
default parameter from0
to1
Based on patch by Dominic Hargreaves:
https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
Fixes CVE-2023-31486
Add check for
$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}
thatenables the previous insecure default behaviour if set to
1
.This provides a workaround for users who encounter problems with the
new
verify_SSL
default.Example to disable certificate checks:
Updates to documentation:
Update
210_live_ssl.t
certificates.
than bypassing the
SSL_verify_callback
verify_SSL
parameter in addition to low level SSL_optionsPERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1
behaves asexpected against badssl.com
Added
180_verify_SSL.t
verify_SSL
default is1
PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT
behaves as expectedverify_SSL
and legacyverify_ssl
doesn't disable cert checks