verify_hostname defaults to 0 if ssl_opts provided (RT#67947) #22

merged 2 commits into from Oct 14, 2011


None yet
2 participants

madsen commented Oct 11, 2011

This fixes RT#67947, which I consider a serious security hole. There's an easy workaround (specify verify_hostname in your ssl_opts hash), but what makes it serious is that it's so easy to miss the fact that your app is not verifying the hostname. Unless you actually test your app against a server that presents the wrong certificate, you might never notice the huge security hole you've left open.

I also added some tests to make sure it works.

madsen added some commits Oct 11, 2011

verify_hostname defaults to 0 if ssl_opts provided [RT#67947]
Let verify_hostname default from the environment when other ssl_opts
are passed.
Test verify_hostname setting
Remove SSL environment variables so they don't affect the tests.

gisle added a commit that referenced this pull request Oct 14, 2011

Merge pull request #22 from madsen/RT67947-verify_hostname
verify_hostname defaults to 0 if ssl_opts provided [RT#67947]

@gisle gisle merged commit 0a9516a into libwww-perl:master Oct 14, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment