IO-Socket-SSL
Posted on 2007-06-12 14:16:43-07 by christopherodenbach
Checking of hostname missing

Hi,

I recently discovered, that IO::Socket::SSL does not verify the hostname in the certificate to the one it connects to.

I found out about this when fiddeling with Net::LDAP. Even with 'verify=require' the hostname was not checked (the certificate was of course).

Now it is of course possible to make Net::LDAP check the hostname itself (after having IO::Socket::SSL check the certificate), but that is quite a long and difficult task: there are certificates with wildcards, with IP addresses, with subjectAltNames and so on. I have nearly done it now for Net::LDAP, but there are plenty of other perl modules which use IO::Socket::SSL which all would need the hostname checking implemented.

Wouldn't it make more sense to put the neccessary code into IO::Socket::SSL itself?

Cheers,

Christopher

Direct Responses: 5422 | Write a response
Perl Weekly newsletter
A free weekly newsletter for people who are busy to read all the blogs. click here to check it out.
Recommended web hosting by M5 hosting