Commits on Jun 10, 2023

1. Change verify_SSL default to 1, add ENV var to enable insecure default …

   - Changes the `verify_SSL` default parameter from `0` to `1`
   
     Based on patch by Dominic Hargreaves:
     https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92
   
     Fixes CVE-2023-31486
   
   - Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that
     enables the previous insecure default behaviour if set to `1`.
   
     This provides a workaround for users who encounter problems with the
     new `verify_SSL` default.
   
     Example to disable certificate checks:
     ```
       $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl
     ```
   
   - Updates to documentation:
     - Describe changing the verify_SSL value
     - Describe the escape-hatch environment variable
     - Remove rationale for not enabling verify_SSL
     - Add missing certificate search paths
     - Replace "SSL" with "TLS/SSL" where appropriate
     - Use "machine-in-the-middle" instead of "man-in-the-middle"
   
   - Update `210_live_ssl.t`
     - Use github.com, cpan.org and badssl.com hosts for checking
       certificates.
     - Add self signed snake-oil certificate for checking failures rather
       than bypassing the `SSL_verify_callback`
     - Test `verify_SSL` parameter in addition to low level SSL_options
     - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1` behaves as
       expected against badssl.com
   
   - Added `180_verify_SSL.t`
     - Test that `verify_SSL` default is `1`
     - Test that `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` behaves as expected
     - Test that using different values for `verify_SSL` and legacy `verify_ssl`
       doesn't disable cert checks

   

   stigtsp committed Jun 10, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 73bc321
   • Browse repository at this point

   Copy the full SHA

   73bc321 View commit details

   Browse the repository at this point in the history