From 67de137e737e4fa92d0cb746bdc8474d7bb5e000 Mon Sep 17 00:00:00 2001 From: Kent Fredric Date: Tue, 21 Mar 2017 10:11:32 +1300 Subject: Use SSL_verifycn_scheme instead of disabling SSL_verify_mode Re: CVE-2014-3230 Redhat Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1094440 Combines: https://bugzilla.redhat.com/attachment.cgi?id=894747 https://bugzilla.redhat.com/attachment.cgi?id=894748 --- lib/LWP/Protocol/https.pm | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index f8ab398..ba69966 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -21,7 +21,12 @@ sub _extra_sock_opts $ssl_opts{SSL_verifycn_scheme} = 'www'; } else { - $ssl_opts{SSL_verify_mode} = 0; + if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { + $ssl_opts{SSL_verifycn_scheme} = ''; + } + else { + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { -- 2.12.0