diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/bugs/ssl_certificates_not_checked_with_openid.mdwn | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn index 2dc74a984..75cfe05e0 100644 --- a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn +++ b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn @@ -66,3 +66,47 @@ significantly harder than the network based attacks." With regards to implementation, I am surprised that the libraries don't seem to do this checking, already, and by default. Unfortunately, I am not sure how to test this adequately, see <http://bugs.debian.org/466055>. -- Brian May + +--- + +I think [[!cpan Crypt::SSLeay]] already supports checking the certificate. The trick +is to get [[!cpan LWP::UserAgent]], which is used by [[!cpan LWPx::ParanoidAgent]] to +enable this checking. + +I think the trick is to set on of the the following environment variables before retrieving +the data: + +$ENV{HTTPS_CA_DIR} = "/etc/ssl/certs/"; +$ENV{HTTPS_CA_FILE} = "/etc/ssl/certs/file.pem"; + +Unfortunately I get weird results if the certificate verification fails, tshark shows the following communications with my proxy server: + +HTTP CONNECT db.debian.org:443 HTTP/1.0 +<tls stuff> +HTTP CONNECT proxy.pri:3128 HTTP/1.0 +HTTP HTTP/1.0 403 Forbidden (text/html) + +Why it is trying to connect to the proxy server via the proxy server is beyond me. This only happens if the certificate verification fails (I think). I will continue investigating. My test code is: + + +#!/usr/bin/perl -w +use strict; +#require LWPx::ParanoidAgent; +#my $ua = LWPx::ParanoidAgent->new; + +require LWP::UserAgent; +my $ua = LWP::UserAgent->new; + +$ua->proxy(['http'], 'http://proxy.pri:3128'); +$ENV{HTTPS_PROXY} = "http://proxy.pri:3128"; +$ENV{HTTPS_CA_DIR} = "/etc/ssl/certs/"; + + +my $response = $ua->get("https://db.debian.org/"); + +if ($response->is_success) { + print $response->content; # or whatever +} else { + die $response->status_line; +} + |