Re: [Ddclient-support] Not Setting SSL_verify_mode Produces Warning

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Ticket #76 https://sourceforge.net/apps/trac/ddclient/ticket/76 has
been opened to track this issue. I have also attached a proposed
patch to the ticket(see below).  This appears to work for me, 
but may require further testing.

--- o/ddclient-3.8.1/ddclient    2013-02-24 08:17:51.607524001 -0500
+++ n/ddclient-3.8.1/ddclient    2013-02-26 08:52:37.491332081 -0500
@@ -1861,6 +1861,7 @@
             Proto => 'tcp',
             MultiHomed => 1,
             Timeout => opt('timeout'),
+            SSL_verify_mode => SSL_VERIFY_NONE(),
         );
         defined $sd or warning("cannot connect to $peer:$port socket: $@ " . IO::Socket::SSL::errstr());
     } else {


> From: wf...@ho...
> To: ddc...@li...
> Subject: Not Setting SSL_verify_mode Produces Warning
> Date: Sun, 27 Jan 2013 22:07:14 -0500
> 
> While using the configuration option of "ssl=yes" in ddclient a warning 
> message is produced by the latest release of perl module IO::Socket::SSL.
> This is because the SSL_verify_mode is not explicitly set to 
> SSL_VERIFY_NONE. 
>  
> Warning Message:
> *******************************************************************
>  Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
>  is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
>  together with SSL_ca_file|SSL_ca_path for verification.
>  If you really don't want to verify the certificate and keep the
>  connection open to Man-In-The-Middle attacks please set
>  SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
> *******************************************************************
>  
> The second paragraph of the method documentation explains that the
> default will be changing to SSL_VERIFY_PEER (see below). ddclient will
> need to set the SSL_verify_mode to SSL_VERIFY_NONE.
>  
> SSL_verify_mode
> This option sets the verification mode for the peer certificate. You may
> combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT
> (fail verification if no peer certificate exists; ignored for clients),
> SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See
> OpenSSL man page for SSL_CTX_set_verify for more information.
>  
> The default is SSL_VERIFY_NONE for server (e.g. no check for client
> certificate). For historical reasons the default for client is currently
> also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near
> future. To aid transition a warning is issued if the client is used with
> the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set
> by the application.
 		 	   		  
