From 9a206e1be855f562ade92959676d820370d20d28 Mon Sep 17 00:00:00 2001 From: Nicholas Bamber Date: Sat, 18 Jul 2020 19:41:51 +0200 Subject: Use ca-certificates rather than Mozilla::CA Origin: vendor Bug-Debian: https://bugs.debian.org/619059 Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2020-07-18 Gbp-Pq: Name cert.patch --- lib/LWP/Protocol/https.pm | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index 2725707..a479ee2 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -24,25 +24,7 @@ sub _extra_sock_opts } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { - eval { - require Mozilla::CA; - }; - if ($@) { - if ($@ =~ /^Can't locate Mozilla\/CA\.pm/) { - $@ = <<'EOT'; -Can't verify SSL peers without knowing which Certificate Authorities to trust - -This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE -environment variable or by installing the Mozilla::CA module. - -To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME -environment variable to 0. If you do this you can't be sure that you -communicate with the expected peer. -EOT - } - die $@; - } - $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file(); + $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt'; } } $self->{ssl_opts} = \%ssl_opts; -- cgit v1.2.3 From e122bc630696e180e64f228b4a8d1b93078ad3a4 Mon Sep 17 00:00:00 2001 From: Steffen Ullrich Date: Sat, 18 Jul 2020 19:41:51 +0200 Subject: Fix peer certificate verification Origin: vendor Bug: https://github.com/libwww-perl/lwp-protocol-https/pull/14 Bug-Debian: https://bugs.debian.org/746579 Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2020-07-18 LWP::Protocol::HTTPS disabled peer certificate verification in case only hostname verification was disabled. Gbp-Pq: Name 746579-fix-peer-certificate-verification.patch --- lib/LWP/Protocol/https.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index a479ee2..c10d3cc 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -20,7 +20,11 @@ sub _extra_sock_opts $ssl_opts{SSL_verifycn_scheme} = 'www'; } else { - $ssl_opts{SSL_verify_mode} = 0; + if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { + $ssl_opts{SSL_verifycn_scheme} = ''; + } else { + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { -- cgit v1.2.3 From 9ddf1975633e7eb6156788ab27ef3b57d7ceb4d3 Mon Sep 17 00:00:00 2001 From: Debian Perl Group Date: Sat, 18 Jul 2020 19:41:51 +0200 Subject: Fix https test Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2016-04-29 fix https test after patch 746579-fix-peer-certificate-verification.patch kinda breaks it. Gbp-Pq: Name fix-https-test --- t/https_proxy.t | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/t/https_proxy.t b/t/https_proxy.t index 5196960..190cfc8 100644 --- a/t/https_proxy.t +++ b/t/https_proxy.t @@ -66,7 +66,10 @@ my %ua; $ua{noproxy} = LWP::UserAgent->new( keep_alive => 10, # size of connection cache # server does not know the expected name and returns generic certificate - ssl_opts => { verify_hostname => 0 } + ssl_opts => { + verify_hostname => 0, + SSL_ca_file => $cafile, + } ); $ua{proxy} = LWP::UserAgent->new( -- cgit v1.2.3 From 5e2008b3cbd5990206f9861ce2664d658279561e Mon Sep 17 00:00:00 2001 From: Nicholas Bamber Date: Mon, 21 Dec 2020 20:39:14 +0100 Subject: Use ca-certificates rather than Mozilla::CA Origin: vendor Bug-Debian: https://bugs.debian.org/619059 Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2020-07-18 Gbp-Pq: Name cert.patch --- lib/LWP/Protocol/https.pm | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index 1064367..cee1bcf 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -24,25 +24,7 @@ sub _extra_sock_opts } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { - eval { - require Mozilla::CA; - }; - if ($@) { - if ($@ =~ /^Can't locate Mozilla\/CA\.pm/) { - $@ = <<'EOT'; -Can't verify SSL peers without knowing which Certificate Authorities to trust - -This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE -environment variable or by installing the Mozilla::CA module. - -To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME -environment variable to 0. If you do this you can't be sure that you -communicate with the expected peer. -EOT - } - die $@; - } - $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file(); + $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt'; } } $self->{ssl_opts} = \%ssl_opts; -- cgit v1.2.3 From bf69b5218aee5ee841bbd1745f56c5e7d4714f55 Mon Sep 17 00:00:00 2001 From: Steffen Ullrich Date: Mon, 21 Dec 2020 20:39:14 +0100 Subject: Fix peer certificate verification Origin: vendor Bug: https://github.com/libwww-perl/lwp-protocol-https/pull/14 Bug-Debian: https://bugs.debian.org/746579 Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2020-07-18 LWP::Protocol::HTTPS disabled peer certificate verification in case only hostname verification was disabled. Gbp-Pq: Name 746579-fix-peer-certificate-verification.patch --- lib/LWP/Protocol/https.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index cee1bcf..f79122c 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -20,7 +20,11 @@ sub _extra_sock_opts $ssl_opts{SSL_verifycn_scheme} = 'www'; } else { - $ssl_opts{SSL_verify_mode} = 0; + if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { + $ssl_opts{SSL_verifycn_scheme} = ''; + } else { + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { -- cgit v1.2.3 From 24648b2fbab5966c3e82cf9c871d1b6f8cb7eb41 Mon Sep 17 00:00:00 2001 From: Debian Perl Group Date: Mon, 21 Dec 2020 20:39:14 +0100 Subject: Fix https test Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2016-04-29 fix https test after patch 746579-fix-peer-certificate-verification.patch kinda breaks it. Gbp-Pq: Name fix-https-test --- t/https_proxy.t | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/t/https_proxy.t b/t/https_proxy.t index b36d592..af1e51a 100644 --- a/t/https_proxy.t +++ b/t/https_proxy.t @@ -66,7 +66,10 @@ my %ua; $ua{noproxy} = LWP::UserAgent->new( keep_alive => 10, # size of connection cache # server does not know the expected name and returns generic certificate - ssl_opts => { verify_hostname => 0 } + ssl_opts => { + verify_hostname => 0, + SSL_ca_file => $cafile, + } ); $ua{proxy} = LWP::UserAgent->new( -- cgit v1.2.3 From 6e7c1c03e06094f278bd20ae351f695c6e8a2e7b Mon Sep 17 00:00:00 2001 From: Nicholas Bamber Date: Sun, 9 Jul 2023 20:40:15 +0200 Subject: Use ca-certificates rather than Mozilla::CA Origin: vendor Bug-Debian: https://bugs.debian.org/619059 Forwarded: not-needed Reviewed-by: gregor herrmann Last-Update: 2023-07-09 Gbp-Pq: Name cert.patch --- lib/LWP/Protocol/https.pm | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index 16fce19..f6ed6d4 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -34,24 +34,8 @@ sub _extra_sock_opts && defined &IO::Socket::SSL::default_ca && IO::Socket::SSL::default_ca() ) { # IO::Socket::SSL has a usable default CA - } elsif ( my $cafile = eval { - require Mozilla::CA; - Mozilla::CA::SSL_ca_file() - }) { - # use Mozilla::CA - $ssl_opts{SSL_ca_file} = $cafile; } else { - die <<'EOT'; -Can't verify SSL peers without knowing which Certificate Authorities to trust. - -This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE -environment variable to the file where your trusted CA are, or by installing -the Mozilla::CA module for set of commonly trusted CAs. - -To completly disable the verification that you talk to the correct SSL peer you -can set SSL_verify_mode to 0 within ssl_opts. But, if you do this you can't be -sure that you communicate with the expected peer. -EOT + $ssl_opts{SSL_ca_file} = '/etc/ssl/certs/ca-certificates.crt'; } } } -- cgit v1.2.3