IO-Socket-SSL - Checking of hostname missing

[ home | FAQ | about | stats | new post | login | register | tags ]
Do you want to spoil my kids? Here is my Amazon wishlist

IO-Socket-SSL [search.cpan.org] [Kobes search] [View and report bugs] [Ratings 5.0 (1) ]
[AnnoCPAN] [CPAN Tests results] [CPANTS]

Posted on Tue Jun 12 17:16:43 2007 by christopherodenbach
Checking of hostname missing

Hi,

I recently discovered, that IO::Socket::SSL does not verify the hostname in the certificate to the one it connects to.

I found out about this when fiddeling with Net::LDAP. Even with 'verify=require' the hostname was not checked (the certificate was of course).

Now it is of course possible to make Net::LDAP check the hostname itself (after having IO::Socket::SSL check the certificate), but that is quite a long and difficult task: there are certificates with wildcards, with IP addresses, with subjectAltNames and so on. I have nearly done it now for Net::LDAP, but there are plenty of other perl modules which use IO::Socket::SSL which all would need the hostname checking implemented.

Wouldn't it make more sense to put the neccessary code into IO::Socket::SSL itself?

Cheers,

Christopher

Direct Responses: 5422 | Write a response

[ home | FAQ | about | stats | new post | login | register | tags ]
Do you want to spoil my kids? Here is my Amazon wishlist
Service launched on 2nd of February 2005.
Comments, and other submissions on CPAN Forum are Copyright 2005-2007, their respective owners.
Site maintainer is not responsible for content. Privacy Policy
Maintained and hosted by Gabor Szabo at Perl Training Israel
See also World Wide Perl Training