如何让LWP验证SSL服务器证书? [英] How can I get LWP to validate SSL server certificates?
问题描述
如何获取 LWP 以验证我正在连接的服务器的证书是由受信任的机构签署并发给正确的主机?据我所知,它甚至没有检查证书声称是否为我正在连接的主机名。这似乎是一个主要的安全漏洞(特别是最近的DNS漏洞)。
How can I get LWP to verify that the certificate of the server I'm connecting to is signed by a trusted authority and issued to the correct host? As far as I can tell, it doesn't even check that the certificate claims to be for the hostname I'm connecting to. That seems like a major security hole (especially with the recent DNS vulnerabilities).
更新:事实证明我真正想要的是 HTTPS_CA_DIR
,因为我没有ca-bundle.crt。但是 HTTPS_CA_DIR = / usr / share / ca-certificates /
就可以了。无论如何,我将答案标记为已接受,因为它足够接近。
Update: It turns out what I really wanted was HTTPS_CA_DIR
, because I don't have a ca-bundle.crt. But HTTPS_CA_DIR=/usr/share/ca-certificates/
did the trick. I'm marking the answer as accepted anyway, because it was close enough.
更新2:结果是 HTTPS_CA_DIR
和 HTTPS_CA_FILE
仅在您使用Net :: SSL作为基础SSL库时才适用。但LWP也适用于IO :: Socket :: SSL,它将忽略这些环境变量并愉快地与任何服务器通信,无论它呈现什么证书。是否有更通用的解决方案?
Update 2: It turns out that HTTPS_CA_DIR
and HTTPS_CA_FILE
only apply if you're using Net::SSL as the underlying SSL library. But LWP also works with IO::Socket::SSL, which will ignore those environment variables and happily talk to any server, no matter what certificate it presents. Is there a more general solution?
更新3:不幸的是,解决方案仍未完成。 Net :: SSL和IO :: Socket :: SSL都没有根据证书检查主机名。这意味着某人可以获得某个域的合法证书,然后在没有LWP抱怨的情况下冒充任何其他域。
Update 3: Unfortunately, the solution still isn't complete. Neither Net::SSL nor IO::Socket::SSL is checking the host name against the certificate. This means that someone can get a legitimate certificate for some domain, and then impersonate any other domain without LWP complaining.
更新4: LWP 6.00 终于解决了这个问题。有关详细信息,请参阅我的回答。
Update 4: LWP 6.00 finally solves the problem. See my answer for details.
推荐答案
这个长期存在的安全漏洞终于在 libwww-perl 。从该版本开始,默认情况下 LWP :: UserAgent 验证HTTPS服务器是否提供有效证书匹配预期的主机名(除非 $ ENV {PERL_LWP_SSL_VERIFY_HOSTNAME}
设置为false值,或者为了向后兼容,如果该变量未设置,则 $ ENV {HTTPS_CA_FILE}
或 $ ENV {HTTPS_CA_DIR}
已设置)。
This long-standing security hole has finally been fixed in version 6.00 of libwww-perl. Starting with that version, by default LWP::UserAgent verifies that HTTPS servers present a valid certificate matching the expected hostname (unless $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}
is set to a false value or, for backwards compatibility if that variable is not set at all, either $ENV{HTTPS_CA_FILE}
or $ENV{HTTPS_CA_DIR}
is set).
这可以通过LWP :: UserAgent的新 ssl_opts 选项进行控制。有关证书颁发机构证书的位置详细信息,请参阅该链接。但要小心,LWP :: UserAgent以前的工作方式,如果你给构造函数提供 ssl_opts
哈希,那么 verify_hostname
默认为0 而不是1.(此错误已在LWP 6.03中修复。)为安全起见,请始终指定 verify_hostname => 1
在您的 ssl_opts
中。
This can be controlled by the new ssl_opts option of LWP::UserAgent. See that link for details on how the Certificate Authority certificates are located. But be careful, the way LWP::UserAgent used to work, if you provide a ssl_opts
hash to the constructor, then verify_hostname
defaulted to 0 instead of 1. (This bug was fixed in LWP 6.03.) To be safe, always specify verify_hostname => 1
in your ssl_opts
.
所以使用LWP: :UserAgent 6;
应足以验证服务器证书。
So use LWP::UserAgent 6;
should be sufficient to have server certificates validated.
这篇关于如何让LWP验证SSL服务器证书?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!