Re: [Ddclient-support] Not Setting SSL_verify_mode Produces Warning

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

William,

Thanks for the patch but I would ratter like it as an option.  Strictly
spoken this is an security so I think people have to able to control the
setting.

Regards,

wimpunk.

On 02/26/13 20:14, William Makowski wrote:
> Ticket #76 https://sourceforge.net/apps/trac/ddclient/ticket/76 has
> been opened to track this issue. I have also attached a proposed
> patch to the ticket(see below).  This appears to work for me, 
> but may require further testing.
> 
> --- o/ddclient-3.8.1/ddclient    2013-02-24 08:17:51.607524001 -0500
> +++ n/ddclient-3.8.1/ddclient    2013-02-26 08:52:37.491332081 -0500
> @@ -1861,6 +1861,7 @@
>              Proto => 'tcp',
>              MultiHomed => 1,
>              Timeout => opt('timeout'),
> +            SSL_verify_mode => SSL_VERIFY_NONE(),
>          );
>          defined $sd or warning("cannot connect to $peer:$port socket: $@ " . IO::Socket::SSL::errstr());
>      } else {
> 
> 
>> From: wf...@ho...
>> To: ddc...@li...
>> Subject: Not Setting SSL_verify_mode Produces Warning
>> Date: Sun, 27 Jan 2013 22:07:14 -0500
>>
>> While using the configuration option of "ssl=yes" in ddclient a warning 
>> message is produced by the latest release of perl module IO::Socket::SSL.
>> This is because the SSL_verify_mode is not explicitly set to 
>> SSL_VERIFY_NONE. 
>>  
>> Warning Message:
>> *******************************************************************
>>  Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
>>  is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
>>  together with SSL_ca_file|SSL_ca_path for verification.
>>  If you really don't want to verify the certificate and keep the
>>  connection open to Man-In-The-Middle attacks please set
>>  SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
>> *******************************************************************
>>  
>> The second paragraph of the method documentation explains that the
>> default will be changing to SSL_VERIFY_PEER (see below). ddclient will
>> need to set the SSL_verify_mode to SSL_VERIFY_NONE.
>>  
>> SSL_verify_mode
>> This option sets the verification mode for the peer certificate. You may
>> combine SSL_VERIFY_PEER (verify_peer), SSL_VERIFY_FAIL_IF_NO_PEER_CERT
>> (fail verification if no peer certificate exists; ignored for clients),
>> SSL_VERIFY_CLIENT_ONCE (verify client once; ignored for clients). See
>> OpenSSL man page for SSL_CTX_set_verify for more information.
>>  
>> The default is SSL_VERIFY_NONE for server (e.g. no check for client
>> certificate). For historical reasons the default for client is currently
>> also SSL_VERIFY_NONE, but this will change to SSL_VERIFY_PEER in the near
>> future. To aid transition a warning is issued if the client is used with
>> the default SSL_VERIFY_NONE, unless SSL_verify_mode was explicitly set
>> by the application.
>  		 	   		  
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_d2d_feb
> _______________________________________________
> Ddclient-support mailing list
> Ddc...@li...
> https://lists.sourceforge.net/lists/listinfo/ddclient-support
> 