File: Set_SSL_verifycn_name_parameter_to_fix_hostname_verification.patch

package info (click to toggle)
libxml-stream-perl 1.24-4%2Bdeb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 952 kB
  • sloc: perl: 4,821; xml: 64; makefile: 4
file content (85 lines) | stat: -rw-r--r-- 3,280 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
From 7d3de1e8afe7eb46d7bda336fb1f54d3b75f4e6d Mon Sep 17 00:00:00 2001
From: Manfred Stock <m-cpan@nfred.ch>
Date: Fri, 16 Feb 2024 10:45:43 +0100
Subject: [PATCH] Set SSL_verifycn_name parameter to fix hostname verification

IO-Socket-SSL 2.078 reverted a "decision from 2014 to not verify
hostname by default if hostname is IP address but no explicit
verification scheme given" [1]. Since start_SSL uses SSL_verifycn_name
or SSL_hostname when verifying the hostname and falls back to the IP
address of the peer if neither of them are set, the hostname
verification failed with newer versions of IO-Socket-SSL even if the
certificate presented by the peer was valid.

Passing SSL_verifycn_name to start_SSL fixes this issue. The logic to
determine the parameter value is based on my current understanding of
[2] and thus uses the same logic that is also used in OpenStream to
determine the 'to' address in the initial stream header.

[1]: https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
[2]: https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1


Bug: https://github.com/dap/XML-Stream/pull/28
Bug-Debian: https://bugs.debian.org/1064058

---
 lib/XML/Stream.pm |  3 +++
 t/tcpip2ssl.t     | 21 +++++++++++++++++----
 2 files changed, 20 insertions(+), 4 deletions(-)

--- a/lib/XML/Stream.pm
+++ b/lib/XML/Stream.pm
@@ -632,6 +632,9 @@
     {
         my %ssl_params = (
             SSL_verify_mode => $self->{SIDS}->{newconnection}->{ssl_verify},
+            SSL_verifycn_name => $self->{SIDS}->{newconnection}->{to}
+                ? $self->{SIDS}->{newconnection}->{to}
+                : $self->{SIDS}->{newconnection}->{hostname},
         );
 
         if ( 0x00 != $self->{SIDS}->{newconnection}->{ssl_verify} )
--- a/t/tcpip2ssl.t
+++ b/t/tcpip2ssl.t
@@ -1,13 +1,13 @@
 use strict;
 use warnings;
 
-use Test::More tests=>3;
+use Test::More tests=>5;
 
 SKIP:
 {
     eval("use IO::Socket::SSL 0.81;");
-    skip "IO::Socket::SSL not installed", 2 if $@;
-    skip "No network communication allowed", 2 if ($ENV{NO_NETWORK});
+    skip "IO::Socket::SSL not installed", 4 if $@;
+    skip "No network communication allowed", 4 if ($ENV{NO_NETWORK});
 
     BEGIN{ use_ok( "XML::Stream","Tree", "Node" ); }
 
@@ -28,9 +28,22 @@
                                       ssl=>1,
                                       ssl_verify=>0x00,
                                       timeout=>10);
+        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
+            'jabber.org', 'SSL_verifycn_name set' );
 
-        skip "Cannot create initial socket", 1 unless $stream;
+        skip "Cannot create initial socket", 2 unless $stream;
         
         ok( $stream, "converted" );
+
+        $stream->Connect(hostname=>"jabber.org",
+                         to=>'example.com',
+                         port=>5223,
+                         namespace=>"jabber:client",
+                         connectiontype=>"tcpip",
+                         ssl=>1,
+                         ssl_verify=>0x00,
+                         timeout=>10);
+        is( $stream->{SIDS}->{newconnection}->{ssl_params}->{SSL_verifycn_name},
+            'example.com', 'SSL_verifycn_name set to "to" value' );
     }
 }