From e1ca8defeff496000fc96600ebfca7250065c1f1 Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Thu, 29 Jun 2023 14:36:05 +0000 Subject: [PATCH] Change verify_SSL default to 1, add ENV var to enable insecure default - Changes the `verify_SSL` default parameter from `0` to `1` Based on patch by Dominic Hargreaves: https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 Fixes CVE-2023-31486 - Add check for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` that enables the previous insecure default behaviour if set to `1`. This provides a workaround for users who encounter problems with the new `verify_SSL` default. Example to disable certificate checks: ``` $ PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 ./script.pl ``` - Updates to documentation: - Describe changing the verify_SSL value - Describe the escape-hatch environment variable - Remove rationale for not enabling verify_SSL - Add missing certificate search paths - Replace "SSL" with "TLS/SSL" where appropriate - Use "machine-in-the-middle" instead of "man-in-the-middle" Upstream-Status: Backport [https://github.com/chansen/p5-http-tiny/commit/77f557ef84698efeb6eed04e4a9704eaf85b741d] Signed-off-by: Soumya --- cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | 86 ++++++++++++++++++++++----------- 1 file changed, 57 insertions(+), 29 deletions(-) diff --git a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm index 83ca06d..5f6ced8 100644 --- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm +++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm @@ -40,10 +40,14 @@ sub _croak { require Carp; Carp::croak(@_) } #pod * C — Request timeout in seconds (default is 60) If a socket open, #pod read or write takes longer than the timeout, the request response status code #pod will be 599. -#pod * C — A boolean that indicates whether to validate the SSL -#pod certificate of an C — connection (default is false) +#pod * C — A boolean that indicates whether to validate the TLS/SSL +#pod certificate of an C — connection (default is true). Changed from false +#pod to true in version 0.083. #pod * C — A hashref of C — options to pass through to #pod L +#pod * C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> - Changes the default +#pod certificate verification behavior to not check server identity if set to 1. +#pod Only effective if C is not set. Added in version 0.083. #pod #pod An accessor/mutator method exists for each attribute. #pod @@ -111,11 +115,17 @@ sub timeout { sub new { my($class, %args) = @_; + # Support lower case verify_ssl argument, but only if verify_SSL is not + # true. + if ( exists $args{verify_ssl} ) { + $args{verify_SSL} ||= $args{verify_ssl}; + } + my $self = { max_redirect => 5, timeout => defined $args{timeout} ? $args{timeout} : 60, keep_alive => 1, - verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default + verify_SSL => defined $args{verify_SSL} ? $args{verify_SSL} : _verify_SSL_default(), no_proxy => $ENV{no_proxy}, }; @@ -134,6 +144,13 @@ sub new { return $self; } +sub _verify_SSL_default { + my ($self) = @_; + # Check if insecure default certificate verification behaviour has been + # changed by the user by setting PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT=1 + return (($ENV{PERL_HTTP_TINY_INSECURE_BY_DEFAULT} || '') eq '1') ? 0 : 1; +} + sub _set_proxies { my ($self) = @_; @@ -1055,7 +1072,7 @@ sub new { timeout => 60, max_line_size => 16384, max_header_lines => 64, - verify_SSL => 0, + verify_SSL => HTTP::Tiny::_verify_SSL_default(), SSL_options => {}, %args }, $class; @@ -2043,11 +2060,11 @@ proxy timeout verify_SSL -=head1 SSL SUPPORT +=head1 TLS/SSL SUPPORT Direct C connections are supported only if L 1.56 or greater and L 1.49 or greater are installed. An error will occur -if new enough versions of these modules are not installed or if the SSL +if new enough versions of these modules are not installed or if the TLS encryption fails. You can also use C utility function that returns boolean to see if the required modules are installed. @@ -2055,7 +2072,7 @@ An C connection may be made via an C proxy that supports the CONNEC command (i.e. RFC 2817). You may not proxy C via a proxy that itself requires C to communicate. -SSL provides two distinct capabilities: +TLS/SSL provides two distinct capabilities: =over 4 @@ -2069,24 +2086,17 @@ Verification of server identity =back -B. - -Server identity verification is controversial and potentially tricky because it -depends on a (usually paid) third-party Certificate Authority (CA) trust model -to validate a certificate as legitimate. This discriminates against servers -with self-signed certificates or certificates signed by free, community-driven -CA's such as L. +B. -By default, HTTP::Tiny does not make any assumptions about your trust model, -threat level or risk tolerance. It just aims to give you an encrypted channel -when you need one. +This was changed in version 0.083 due to security concerns. The previous default +behavior can be enabled by setting C<$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}> +to 1. -Setting the C attribute to a true value will make HTTP::Tiny verify -that an SSL connection has a valid SSL certificate corresponding to the host -name of the connection and that the SSL certificate has been verified by a CA. -Assuming you trust the CA, this will protect against a L. If you are -concerned about security, you should enable this option. +Verification is done by checking that that the TLS/SSL connection has a valid +certificate corresponding to the host name of the connection and that the +certificate has been verified by a CA. Assuming you trust the CA, this will +protect against L. Certificate verification requires a file containing trusted CA certificates. @@ -2094,9 +2104,7 @@ If the environment variable C is present, HTTP::Tiny will try to find a CA certificate file in that location. If the L module is installed, HTTP::Tiny will use the CA file -included with it as a source of trusted CA's. (This means you trust Mozilla, -the author of Mozilla::CA, the CPAN mirror where you got Mozilla::CA, the -toolchain used to install it, and your operating system security, right?) +included with it as a source of trusted CA's. If that module is not available, then HTTP::Tiny will search several system-specific default locations for a CA certificate file: @@ -2115,13 +2123,33 @@ system-specific default locations for a CA certificate file: /etc/ssl/ca-bundle.pem +=item * + +/etc/openssl/certs/ca-certificates.crt + +=item * + +/etc/ssl/cert.pem + +=item * + +/usr/local/share/certs/ca-root-nss.crt + +=item * + +/etc/pki/tls/cacert.pem + +=item * + +/etc/certs/ca-certificates.crt + =back An error will be occur if C is true and no CA certificate file is available. -If you desire complete control over SSL connections, the C attribute -lets you provide a hash reference that will be passed through to +If you desire complete control over TLS/SSL connections, the C +attribute lets you provide a hash reference that will be passed through to C, overriding any options set by HTTP::Tiny. For example, to provide your own trusted CA file: @@ -2131,7 +2159,7 @@ example, to provide your own trusted CA file: The C attribute could also be used for such things as providing a client certificate for authentication to a server or controlling the choice of -cipher used for the SSL connection. See L documentation for +cipher used for the TLS/SSL connection. See L documentation for details. =head1 PROXY SUPPORT -- 2.40.0