X-Git-Url: https://sipb.mit.edu/gitweb.cgi/ikiwiki.git/blobdiff_plain/697c54acc5e5fe1b31b3a1ee43f7de656127d4ed..6695a710b6c86ef353e04d8cd33598290a0fe056:/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn diff --git a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn index 75cfe05e0..04ece0ae8 100644 --- a/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn +++ b/doc/bugs/ssl_certificates_not_checked_with_openid.mdwn @@ -65,7 +65,7 @@ significantly harder than the network based attacks." With regards to implementation, I am surprised that the libraries don't seem to do this checking, already, and by default. Unfortunately, I am not sure how to test -this adequately, see . -- Brian May +this adequately, see [[!debbug 466055]]. -- Brian May --- @@ -73,40 +73,13 @@ I think [[!cpan Crypt::SSLeay]] already supports checking the certificate. The t is to get [[!cpan LWP::UserAgent]], which is used by [[!cpan LWPx::ParanoidAgent]] to enable this checking. -I think the trick is to set on of the the following environment variables before retrieving +I think the trick is to set one of the the following environment variables before retrieving the data: -$ENV{HTTPS_CA_DIR} = "/etc/ssl/certs/"; -$ENV{HTTPS_CA_FILE} = "/etc/ssl/certs/file.pem"; +$ENV{HTTPS\_CA\_DIR} = "/etc/ssl/certs/"; +$ENV{HTTPS\_CA\_FILE} = "/etc/ssl/certs/file.pem"; -Unfortunately I get weird results if the certificate verification fails, tshark shows the following communications with my proxy server: - -HTTP CONNECT db.debian.org:443 HTTP/1.0 - -HTTP CONNECT proxy.pri:3128 HTTP/1.0 -HTTP HTTP/1.0 403 Forbidden (text/html) - -Why it is trying to connect to the proxy server via the proxy server is beyond me. This only happens if the certificate verification fails (I think). I will continue investigating. My test code is: - - -#!/usr/bin/perl -w -use strict; -#require LWPx::ParanoidAgent; -#my $ua = LWPx::ParanoidAgent->new; - -require LWP::UserAgent; -my $ua = LWP::UserAgent->new; - -$ua->proxy(['http'], 'http://proxy.pri:3128'); -$ENV{HTTPS_PROXY} = "http://proxy.pri:3128"; -$ENV{HTTPS_CA_DIR} = "/etc/ssl/certs/"; - - -my $response = $ua->get("https://db.debian.org/"); - -if ($response->is_success) { - print $response->content; # or whatever -} else { - die $response->status_line; -} +Unfortunately I get weird results if the certificate verification fails, see [[!debbug 503440]]. +It still seems to work though, regardless. +-- Brian May