Thread: [Ddclient-support] Not Setting SSL_verify_mode Produces Warning
Brought to you by:
supersandro2000,
wimpunk
Menu
▾
▴
ddclient-support
|
From: William M. <wf...@ho...> - 2013-01-28 03:07:21
|
While using the configuration option of "ssl=yes" in ddclient a warning message is produced by the latest release of perl module IO::Socket::SSL. This is because the SSL_verify_mode is not explicitly set to SSL_VERIFY_NONE. Warning Message: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* The second paragraph of the method documentation explains that the default will be changing to SSL_VERIFY_PEER (see below). ddclient will need to set the SSL_verify_mode to SSL_VERIFY_NONE. SSL_verify_mode This option sets the verification mode for the peer certificate. You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT (fail verification if no peer certificate exists; ignored for clients), SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See OpenSSL man page for SSL_CTX_set_verify for more information. The default is SSL_VERIFY_NONE for server (e.g. no check for client certificate). For historical reasons the default for client is currently also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near future. To aid transition a warning is issued if the client is used with the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set by the application. |
|
From: William M. <wf...@ho...> - 2013-02-26 19:16:00
|
Ticket #76 https://sourceforge.net/apps/trac/ddclient/ticket/76 has been opened to track this issue. I have also attached a proposed patch to the ticket(see below). This appears to work for me, but may require further testing. --- o/ddclient-3.8.1/ddclient 2013-02-24 08:17:51.607524001 -0500 +++ n/ddclient-3.8.1/ddclient 2013-02-26 08:52:37.491332081 -0500 @@ -1861,6 +1861,7 @@ Proto => 'tcp', MultiHomed => 1, Timeout => opt('timeout'), + SSL_verify_mode => SSL_VERIFY_NONE(), ); defined $sd or warning("cannot connect to $peer:$port socket: $@ " . IO::Socket::SSL::errstr()); } else { > From: wf...@ho... > To: ddc...@li... > Subject: Not Setting SSL_verify_mode Produces Warning > Date: Sun, 27 Jan 2013 22:07:14 -0500 > > While using the configuration option of "ssl=yes" in ddclient a warning > message is produced by the latest release of perl module IO::Socket::SSL. > This is because the SSL_verify_mode is not explicitly set to > SSL_VERIFY_NONE. > > Warning Message: > ******************************************************************* > Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client > is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER > together with SSL_ca_file|SSL_ca_path for verification. > If you really don't want to verify the certificate and keep the > connection open to Man-In-The-Middle attacks please set > SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. > ******************************************************************* > > The second paragraph of the method documentation explains that the > default will be changing to SSL_VERIFY_PEER (see below). ddclient will > need to set the SSL_verify_mode to SSL_VERIFY_NONE. > > SSL_verify_mode > This option sets the verification mode for the peer certificate. You may > combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT > (fail verification if no peer certificate exists; ignored for clients), > SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See > OpenSSL man page for SSL_CTX_set_verify for more information. > > The default is SSL_VERIFY_NONE for server (e.g. no check for client > certificate). For historical reasons the default for client is currently > also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near > future. To aid transition a warning is issued if the client is used with > the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set > by the application. |
|
From: wimpunk <wi...@us...> - 2013-02-27 21:16:56
|
William, Thanks for the patch but I would ratter like it as an option. Strictly spoken this is an security so I think people have to able to control the setting. Regards, wimpunk. On 02/26/13 20:14, William Makowski wrote: > Ticket #76 https://sourceforge.net/apps/trac/ddclient/ticket/76 has > been opened to track this issue. I have also attached a proposed > patch to the ticket(see below). This appears to work for me, > but may require further testing. > > --- o/ddclient-3.8.1/ddclient 2013-02-24 08:17:51.607524001 -0500 > +++ n/ddclient-3.8.1/ddclient 2013-02-26 08:52:37.491332081 -0500 > @@ -1861,6 +1861,7 @@ > Proto => 'tcp', > MultiHomed => 1, > Timeout => opt('timeout'), > + SSL_verify_mode => SSL_VERIFY_NONE(), > ); > defined $sd or warning("cannot connect to $peer:$port socket: $@ " . IO::Socket::SSL::errstr()); > } else { > > >> From: wf...@ho... >> To: ddc...@li... >> Subject: Not Setting SSL_verify_mode Produces Warning >> Date: Sun, 27 Jan 2013 22:07:14 -0500 >> >> While using the configuration option of "ssl=yes" in ddclient a warning >> message is produced by the latest release of perl module IO::Socket::SSL. >> This is because the SSL_verify_mode is not explicitly set to >> SSL_VERIFY_NONE. >> >> Warning Message: >> ******************************************************************* >> Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client >> is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER >> together with SSL_ca_file|SSL_ca_path for verification. >> If you really don't want to verify the certificate and keep the >> connection open to Man-In-The-Middle attacks please set >> SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. >> ******************************************************************* >> >> The second paragraph of the method documentation explains that the >> default will be changing to SSL_VERIFY_PEER (see below). ddclient will >> need to set the SSL_verify_mode to SSL_VERIFY_NONE. >> >> SSL_verify_mode >> This option sets the verification mode for the peer certificate. You may >> combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT >> (fail verification if no peer certificate exists; ignored for clients), >> SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See >> OpenSSL man page for SSL_CTX_set_verify for more information. >> >> The default is SSL_VERIFY_NONE for server (e.g. no check for client >> certificate). For historical reasons the default for client is currently >> also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near >> future. To aid transition a warning is issued if the client is used with >> the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set >> by the application. > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Ddclient-support mailing list > Ddc...@li... > https://lists.sourceforge.net/lists/listinfo/ddclient-support > |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X