Debian Bug report logs - #746579
liblwp-protocol-https-perl: CVE-2014-3230: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Display info messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Date: Thu, 1 May 2014 17:24:25 +0200

Package: libwww-perl
Version: 6.06-1
Tags: security
Usertags: serious

If LWP uses IO::Socket::SSL as SSL socket class (this is the default), 
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!) 
server cerificate verification:

$ export PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL

$ GET https://www.berlios.de/
Can't connect to www.berlios.de:443

$ HTTPS_CA_DIR=/etc/ssl/certs/ GET https://www.berlios.de/ | grep '<!DOCTYPE'
		<!DOCTYPE html>


This is counter-intuitive, and also the opposite of Net::SSL behavior, 
which does certificate verification only if you set one of these 
variables.


-- System Information:
Debian Release: jessie/sid
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libwww-perl depends on:
ii  ca-certificates             20140325
ii  libencode-locale-perl       1.03-1
ii  libfile-listing-perl        6.04-1
ii  libhtml-parser-perl         3.71-1+b1
ii  libhtml-tagset-perl         3.20-2
ii  libhtml-tree-perl           5.03-1
ii  libhttp-cookies-perl        6.00-2
ii  libhttp-date-perl           6.02-1
ii  libhttp-message-perl        6.06-1
ii  libhttp-negotiate-perl      6.00-2
ii  liblwp-mediatypes-perl      6.02-1
ii  liblwp-protocol-https-perl  6.04-2
ii  libnet-http-perl            6.06-1
ii  liburi-perl                 1.60-1
ii  libwww-robotrules-perl      6.01-1
ii  netbase                     5.2
ii  perl                        5.18.2-2+b1

-- 
Jakub Wilk

Message #6 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 746579@bugs.debian.org

Subject: Re: Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Date: Fri, 2 May 2014 15:44:01 +0200

* Jakub Wilk <jwilk@debian.org>, 2014-05-01, 17:24:
>If LWP uses IO::Socket::SSL as SSL socket class (this is the default), 
>setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!) 
>server cerificate verification:

This is what's going on:

In LWP::UserAgent we have this:

       elsif ($ENV{HTTPS_CA_FILE} || $ENV{HTTPS_CA_DIR}) {
           # Crypt-SSLeay compatibility (verify peer certificate; but not the hostname)
           $ssl_opts->{verify_hostname} = 0;
           $ssl_opts->{SSL_verify_mode} = 1;
       }

But in LWP::Protocol::HTTPS we have this:

   if (delete $ssl_opts{verify_hostname}) {
       $ssl_opts{SSL_verify_mode} ||= 1;
       $ssl_opts{SSL_verifycn_scheme} = 'www';
   }
   else {
       $ssl_opts{SSL_verify_mode} = 0;
   }

So the intention was to disable only hostname verification, for 
compatibility with Crypt::SSLeay (why?!), but the effect is that the 
SSL_verify_mode is set to 0.

-- 
Jakub Wilk

Message #13 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Steffen Ullrich <coyote.frank@gmx.net>

To: 746579@bugs.debian.org

Subject: Fix can be found here

Date: Sat, 03 May 2014 23:28:30 +0200

https://github.com/libwww-perl/lwp-protocol-https/pull/14

Regards,
Steffen

Message #28 received at 746579@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 746579@bugs.debian.org, 746579-submitter@bugs.debian.org

Subject: Pending fixes for bugs in the liblwp-protocol-https-perl package

Date: Sun, 04 May 2014 05:17:12 +0000

tag 746579 + pending
thanks

Some bugs in the liblwp-protocol-https-perl package are closed in
revision 52883a3bed1d53924ed86d4551efb1e1510a1594 in branch 'master'
by Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/liblwp-protocol-https-perl.git;a=commitdiff;h=52883a3

Commit message:

    Add 746579-fix-peer-certificate-verification.patch patch
    
    Fixes "HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate
    verification for IO::Socket::SSL". When the intention was to only
    disable hostname verification LWP::Protocol::HTTPS disabled also the
    peer certificate verification completely.
    
    Thanks: Jakub Wilk and Steffen Ullrich
    
    Closes: #746579

Message #36 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Steffen Ullrich <coyote.frank@gmx.net>, 746579@bugs.debian.org

Subject: Re: Bug#746579: Fix can be found here

Date: Sun, 4 May 2014 08:42:05 +0200

Hi Steffen,

On Sat, May 03, 2014 at 11:28:30PM +0200, Steffen Ullrich wrote:
> https://github.com/libwww-perl/lwp-protocol-https/pull/14

Thanks for the patch, I have commited it to the git repo[1], but now
there is the t/https_proxy.t test failing which needs first fixing:

----cut---------cut---------cut---------cut---------cut---------cut-----
$ prove -v t/https_proxy.t 
t/https_proxy.t .. 
1..56
ok 1 - noproxy http://127.0.0.1:44545/foo -> A.1@nossl
ok 2 - URL in request -> /foo
ok 3 - noproxy http://127.0.0.1:44545/bar -> A.2@nossl
ok 4 - URL in request -> /bar
ok 5 - noproxy http://127.0.0.1:46930/foo -> B.1@nossl
ok 6 - URL in request -> /foo
ok 7 - noproxy http://127.0.0.1:46930/bar -> B.2@nossl
ok 8 - URL in request -> /bar
ok 9 - noproxy http://127.0.0.1:44545/tor -> A.3@nossl
ok 10 - URL in request -> /tor
ok 11 - noproxy http://127.0.0.1:46930/tor -> B.3@nossl
ok 12 - URL in request -> /tor
ok 13 - proxy http://foo/foo -> C.1.auth@nossl
ok 14 - URL in request -> http://foo/foo
ok 15 - proxy http://foo/bar -> C.2.auth@nossl
ok 16 - URL in request -> http://foo/bar
ok 17 - proxy http://bar/foo -> C.3.auth@nossl
ok 18 - URL in request -> http://bar/foo
ok 19 - proxy http://bar/bar -> C.4.auth@nossl
ok 20 - URL in request -> http://bar/bar
ok 21 - proxy http://foo/tor -> C.5.auth@nossl
ok 22 - URL in request -> http://foo/tor
ok 23 - proxy http://bar/tor -> C.6.auth@nossl
ok 24 - URL in request -> http://bar/tor
# creating cert for direct.ssl.access
unexpected response: 500 Can't connect to 127.0.0.1:44545
Content-Type: text/plain
Client-Date: Sun, 04 May 2014 06:35:46 GMT
Client-Warning: Internal response

Can't connect to 127.0.0.1:44545

# Looks like you planned 56 tests but ran 24.
# Looks like your test exited with 255 just after 24.
# SSL handshake failed: SSL connect accept failed because of handshake problems error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
Dubious, test returned 255 (wstat 65280, 0xff00)
Failed 32/56 subtests 

Test Summary Report
-------------------
t/https_proxy.t (Wstat: 65280 Tests: 24 Failed: 0)
  Non-zero exit status: 255
  Parse errors: Bad plan.  You planned 56 tests but ran 24.
Files=1, Tests=24,  1 wallclock secs ( 0.02 usr  0.01 sys +  0.19 cusr  0.01 csys =  0.23 CPU)
Result: FAIL
----cut---------cut---------cut---------cut---------cut---------cut-----

 [1] http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/liblwp-protocol-https-perl.git;a=commitdiff;h=52883a3

Regards,
Salvatore

Message #41 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Steffen Ullrich <coyote.frank@gmx.net>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 746579@bugs.debian.org

Subject: Re: Bug#746579: Fix can be found here

Date: Sun, 4 May 2014 09:18:11 +0200

On Sun, May 04, 2014 at 08:42:05AM +0200, Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi Steffen,
> 
> On Sat, May 03, 2014 at 11:28:30PM +0200, Steffen Ullrich wrote:
> > https://github.com/libwww-perl/lwp-protocol-https/pull/14
> 
> Thanks for the patch, I have commited it to the git repo[1], but now
> there is the t/https_proxy.t test failing which needs first fixing:

I've updated the test.
It should have failed in previous versions too but did not because of the
bug in LWP::Protocol::https which got just fixed :)
I've also added another fix to make it also workable for the old Net::SSL/Crypt::SSLeay.
Still the same pull request.

Regards,
Steffen

Message #44 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Jakub Wilk <jwilk@debian.org>

To: 746579@bugs.debian.org

Subject: Re: Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Date: Sun, 4 May 2014 10:50:24 +0200

* Jakub Wilk <jwilk@debian.org>, 2014-05-02, 15:44:
>So the intention was to disable only hostname verification, for 
>compatibility with Crypt::SSLeay (why?!), but the effect is that the 
>SSL_verify_mode is set to 0.

To elaborate a bit on my "why?!":

* There's nothing in the names of HTTPS_CA_* that would suggests that 
these variables are specific to Crypt::SSLeay, or LWP, or even Perl. So 
people might have them set in their environment for purposes unrelated 
to Crypt::SSLeay.

* I suspect that these days many users of LWP don't even know what 
Crypt::SSLeay is.

* There is nothing in the LWP documentation that suggests that setting 
HTTPS_CA_* might have negative security effect.


If for some reason (I can't see such reason, but maybe I'm missing 
something) disabling hostname verification is desirable when HTTPS_CA_* 
is set, then it should be prominently documented.


Regarding the proposed patch, I have doubts whether it is correct. 
My understanding of the documentation[0] is that, contrary to what the 
name of the option suggests, verify_hostname is supposed to 
enable/disable both certificate verification and that the certificate 
matches hostname. But after this patch applied, it will affect only the 
latter.


[0] “When TRUE LWP will for secure protocol schemes ensure it connects 
to servers that have a valid certificate matching the expected hostname. 
If FALSE no checks are made and you can’t be sure that you communicate 
with the expected peer.”

-- 
Jakub Wilk

Message #49 received at 746579@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Jakub Wilk <jwilk@debian.org>, 746579@bugs.debian.org

Subject: Re: Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL

Date: Mon, 5 May 2014 07:52:00 +0200

Hi Jakub,

On Sun, May 04, 2014 at 10:50:24AM +0200, Jakub Wilk wrote:
> * Jakub Wilk <jwilk@debian.org>, 2014-05-02, 15:44:
> >So the intention was to disable only hostname verification, for
> >compatibility with Crypt::SSLeay (why?!), but the effect is that
> >the SSL_verify_mode is set to 0.
> 
> To elaborate a bit on my "why?!":
> 
> * There's nothing in the names of HTTPS_CA_* that would suggests
> that these variables are specific to Crypt::SSLeay, or LWP, or even
> Perl. So people might have them set in their environment for
> purposes unrelated to Crypt::SSLeay.
> 
> * I suspect that these days many users of LWP don't even know what
> Crypt::SSLeay is.
> 
> * There is nothing in the LWP documentation that suggests that
> setting HTTPS_CA_* might have negative security effect.
> 
> If for some reason (I can't see such reason, but maybe I'm missing
> something) disabling hostname verification is desirable when
> HTTPS_CA_* is set, then it should be prominently documented.
> 
> 
> Regarding the proposed patch, I have doubts whether it is correct.
> My understanding of the documentation[0] is that, contrary to what
> the name of the option suggests, verify_hostname is supposed to
> enable/disable both certificate verification and that the
> certificate matches hostname. But after this patch applied, it will
> affect only the latter.
> 
> 
> [0] “When TRUE LWP will for secure protocol schemes ensure it
> connects to servers that have a valid certificate matching the
> expected hostname. If FALSE no checks are made and you can’t be sure
> that you communicate with the expected peer.”

Thanks for elaborating this and taking time.

I have not yet uploaded a package with the commit applied. There is
some discussion going on the issue tracker at [1], which clarification
from upstream of IO::Socket::SSL at [2].

 [1] https://github.com/libwww-perl/lwp-protocol-https/pull/14
 [2] https://github.com/libwww-perl/lwp-protocol-https/pull/14#issuecomment-42160001

Regards,
Salvatore

Message #56 received at 746579-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 746579-close@bugs.debian.org

Subject: Bug#746579: fixed in liblwp-protocol-https-perl 6.04-3

Date: Tue, 13 May 2014 21:21:31 +0000

Source: liblwp-protocol-https-perl
Source-Version: 6.04-3

We believe that the bug you reported is fixed in the latest version of
liblwp-protocol-https-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 746579@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated liblwp-protocol-https-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 13 May 2014 22:45:39 +0200
Source: liblwp-protocol-https-perl
Binary: liblwp-protocol-https-perl
Architecture: source all
Version: 6.04-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Description: 
 liblwp-protocol-https-perl - HTTPS driver for LWP::UserAgent
Closes: 746579
Changes: 
 liblwp-protocol-https-perl (6.04-3) unstable; urgency=medium
 .
   * Team upload.
 .
   [ gregor herrmann ]
   * debian/control: remove Nicholas Bamber from Uploaders on request of
     the MIA team.
   * Strip trailing slash from metacpan URLs.
 .
   [ Salvatore Bonaccorso ]
   * Refresh cert.patch for offset
   * Add 746579-fix-peer-certificate-verification.patch patch.
     Fixes "HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate
     verification for IO::Socket::SSL". When the intention was to only
     disable hostname verification LWP::Protocol::HTTPS disabled also the
     peer certificate verification completely. (CVE-2014-3230)
     Thanks to Jakub Wilk and Steffen Ullrich (Closes: #746579)
   * Update fix-https-proxy for fixed behaviour of LWP::Protocol::https
Checksums-Sha1: 
 454b1cfa58b971b400cc3db61586a2543b5a217c 2256 liblwp-protocol-https-perl_6.04-3.dsc
 bac256c69981c68f2fb05ca75e0cb8ec4b84dffb 7320 liblwp-protocol-https-perl_6.04-3.debian.tar.xz
 d828ebf12b7aa370dfe7db6014698c1105f10192 8274 liblwp-protocol-https-perl_6.04-3_all.deb
Checksums-Sha256: 
 9d9898b00bc092cff6ebb12c64edb50e964c4ce292b3ce8940dc2911ad2eba70 2256 liblwp-protocol-https-perl_6.04-3.dsc
 d405b8836241be9e30b8bb91384c798d5d78b426352c5d8ec71a77ed507de363 7320 liblwp-protocol-https-perl_6.04-3.debian.tar.xz
 40e5bdaee6a354b7103dbb26eaa9dc5fd518537e701b99866d34ea098540e01e 8274 liblwp-protocol-https-perl_6.04-3_all.deb
Files: 
 1e4e0d480936b3f31d2a73a70335ff6d 8274 perl optional liblwp-protocol-https-perl_6.04-3_all.deb
 ff0ea6f73469c69fc92edca6fe4aaa5c 2256 perl optional liblwp-protocol-https-perl_6.04-3.dsc
 6b4c3d272aae4de0f6d6ed5f2ec420dc 7320 perl optional liblwp-protocol-https-perl_6.04-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJTcoUIAAoJEAVMuPMTQ89EyUwP/28ir378pXUDnsOZH5jdhkmd
13OsIo25E+78XznYkGP0ZYg23ZcPHIjyWhWjfoFS1Hgf/jvOMWpnebz2LuWYq9j2
dTcGSC60BP7JhBBXsYYtLucw3p0/yrZbTqoOviSOFSe0hIjceIs8vfjVl80LgSg3
atjDYEYC1eQD5Q/gWjqhcZRJjzp44YEYic/5aDBr5PkZuhllYBWbzOVkRziraJAU
6t86ldGFCRC0JPFcxaGK8BfHGHcybHoRD5//jveyX6uWXIRNzVFbG8+f+NI4/F4q
a/BSAUpwPjuMv9k5MK00F4orakXODlOzpm2La2XFbaQRuDVp4fG2lRZGaREMvSTB
QzINoozQRLQYp0Nv3p3YinnQJgWMZCOB1uVWKL3w/IGqUKvqEipoYWGOFquCifPQ
3fAZoTX0dxLvvkLWs0zRvIdPz28PpIdwV+AJfZKVKTK7XJtOXO3VcqvmHAz7M7KE
c5JGslSGbuNjNsb7TYTZ7rYgtityGTDwCRX0vNqO0kfDSuu/4YFrMa+EaVeWSSUB
luZq8BiR04vA2L8n9c7UhpMNLitNkFHZr2b/XK1PT3vfvugHT7xvhBHotLOekzZN
1hGa9AE708sApyIFHXoc/Yg8MsjGxmb8jLKh5kA720tS/3Gtkz3n5qBBmuLLSjKB
jwBpd6UKBKGDYz5YTv/L
=nI/z
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.