Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please verify SSL server identity by default #211

Closed
fschlich opened this issue Sep 5, 2021 · 2 comments
Closed

Please verify SSL server identity by default #211

fschlich opened this issue Sep 5, 2021 · 2 comments
Assignees
@ezimuel

Comments

@fschlich
Copy link

fschlich commented Sep 5, 2021

I'm forwarding Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954111

The reporter notes that Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value. ... I believe that the encryption of a transmission has no value when
talking to the wrong person.

While you document in Search::Elasticsearch::Cxn::HTTPTiny how to turn on remote host verification, would you consider switching the default to always verify https connections (and perhaps giving your user the option to turn verification back off should this really be needed)?
@ezimuel
Copy link
Contributor

ezimuel commented Oct 20, 2021

@fschlich thanks for reporting this. I'll work on a PR to enable SSL verification by default.

@ezimuel ezimuel self-assigned this Oct 20, 2021
@ezimuel
Copy link
Contributor

ezimuel commented Jan 17, 2024

This has been fixed in HTTP-Tiny ver. 0.083

@ezimuel ezimuel closed this as completed Jan 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ezimuel ezimuel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ezimuel @fschlich