[Ddclient-support] Not Setting SSL_verify_mode Produces Warning
Brought to you by:
supersandro2000,
wimpunk
Menu
▾
▴
[Ddclient-support] Not Setting SSL_verify_mode Produces Warning
|
From: William M. <wf...@ho...> - 2013-01-28 03:07:21
|
While using the configuration option of "ssl=yes" in ddclient a warning message is produced by the latest release of perl module IO::Socket::SSL. This is because the SSL_verify_mode is not explicitly set to SSL_VERIFY_NONE. Warning Message: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* The second paragraph of the method documentation explains that the default will be changing to SSL_VERIFY_PEER (see below). ddclient will need to set the SSL_verify_mode to SSL_VERIFY_NONE. SSL_verify_mode This option sets the verification mode for the peer certificate. You may combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT (fail verification if no peer certificate exists; ignored for clients), SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See OpenSSL man page for SSL_CTX_set_verify for more information. The default is SSL_VERIFY_NONE for server (e.g. no check for client certificate). For historical reasons the default for client is currently also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near future. To aid transition a warning is issued if the client is used with the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set by the application. |
