Commit ed42d535 authored by IKEDA Soji's avatar IKEDA Soji
Browse files

[bug] If "cafile" and/or "capath" configuration parameters were not set, undef...

[bug] If "cafile" and/or "capath" configuration parameters were not set, undef were passed to IO::Socket::SSL, and therefore system defaults were disabled.
Fixed by not passing undef when these parameters are not set so that system defaults will be used.
parent 7df43edf
......@@ -825,20 +825,20 @@ sub checkfiles {
}
}
## Check cafile and capath access
if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
$log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
$config_err++;
}
}
if (defined $Conf{'capath'} && $Conf{'capath'}) {
unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
$log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
$config_err++;
}
}
### Check cafile and capath access
#if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
# unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
# $log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
# $config_err++;
# }
#}
#if (defined $Conf{'capath'} && $Conf{'capath'}) {
# unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
# $log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
# $config_err++;
# }
#}
# Check if directory parameters point to the same directory.
my @keys = qw(bounce_path etc home
......@@ -1907,11 +1907,11 @@ sub _infer_server_specific_parameter_values {
$param->{'config_hash'}{'robot_name'} = '';
unless ((defined $param->{'config_hash'}{'cafile'})
|| (defined $param->{'config_hash'}{'capath'})) {
$param->{'config_hash'}{'cafile'} =
Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
}
#unless (defined $param->{'config_hash'}{'cafile'}
# or defined $param->{'config_hash'}{'capath'}) {
# $param->{'config_hash'}{'cafile'} =
# Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
#}
unless (
Sympa::Tools::Data::smart_eq(
......
......@@ -87,13 +87,19 @@ sub _connect {
# However, recent releases won't: They simply deny connection.
# As a workaround, make ca_file or ca_path parameter mandatory unless
# "none" is explicitly assigned to ca_verify parameter.
unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
unless ($self->{ca_file} or $self->{ca_path}) {
$log->syslog('err',
'Neither ca_file nor ca_path parameter is specified');
return undef;
}
}
#
# Update on 6.2.23b.2: If CAfile or CApath is not specified, system
# default will be used, but if undef was specified, system default
# would be disabled. Now undef won't be specified and the check below
# is useless.
#unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
# unless ($self->{ca_file} or $self->{ca_path}) {
# $log->syslog('err',
# 'Neither ca_file nor ca_path parameter is specified');
# return undef;
# }
#}
}
# new() with multiple alternate hosts needs perl-ldap >= 0.27.
......@@ -105,8 +111,8 @@ sub _connect {
: ($self->{ca_verify} eq 'required') ? 'require'
: $self->{ca_verify}
),
capath => $self->{'ca_path'},
cafile => $self->{'ca_file'},
($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
sslversion => $self->{'ssl_version'},
ciphers => $self->{'ssl_ciphers'},
clientcert => $self->{'ssl_cert'},
......@@ -132,8 +138,8 @@ sub _connect {
: ($self->{ca_verify} eq 'required') ? 'require'
: $self->{ca_verify}
),
capath => $self->{'ca_path'},
cafile => $self->{'ca_file'},
($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
sslversion => $self->{'ssl_version'},
ciphers => $self->{'ssl_ciphers'},
clientcert => $self->{'ssl_cert'},
......
......@@ -26,12 +26,14 @@ package Sympa::Fetch;
use strict;
use warnings;
BEGIN { eval 'use IO::Socket::SSL'; }
BEGIN { eval 'use LWP::UserAgent'; }
use Sympa::Log;
my $log = Sympa::Log->instance;
# request a document using https, return status and content
# Requests a document using https, returns status and content.
sub get_https {
$log->syslog('debug2', '(%s, %s, %s, %s, %s, %s)', @_);
my $host = shift;
......@@ -45,28 +47,25 @@ sub get_https {
my $trusted_ca_file = $ssl_data->{'cafile'};
my $trusted_ca_path = $ssl_data->{'capath'};
unless (-r ($trusted_ca_file) || (-d $trusted_ca_path)) {
$log->syslog('err',
"error : incorrect access to cafile $trusted_ca_file bor capath $trusted_ca_path"
);
return undef;
}
#unless (-r $trusted_ca_file or -d $trusted_ca_path) {
# $log->syslog('err', 'Incorrect access to cafile %s or capath %s',
# $trusted_ca_file, $trusted_ca_path);
# return undef;
#}
unless (eval "require IO::Socket::SSL") {
unless ($IO::Socket::SSL::VERSION) {
$log->syslog('err',
"Unable to use SSL library, IO::Socket::SSL required, install IO-Socket-SSL (CPAN) first"
'Unable to use SSL library, IO::Socket::SSL required, install it first'
);
return undef;
}
require IO::Socket::SSL;
unless (eval "require LWP::UserAgent") {
unless ($LWP::UserAgent::VERSION) {
$log->syslog('err',
"Unable to use LWP library, LWP::UserAgent required, install LWP (CPAN) first"
'Unable to use LWP library, LWP::UserAgent required, install it first'
);
return undef;
}
require LWP::UserAgent;
my $ssl_socket;
......@@ -76,12 +75,12 @@ sub get_https {
SSL_cert_file => $client_cert,
SSL_key_file => $client_key,
SSL_passwd_cb => sub { return ($key_passwd) },
SSL_ca_file => $trusted_ca_file,
SSL_ca_path => $trusted_ca_path,
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => '5'
($trusted_ca_file ? (SSL_ca_file => $trusted_ca_file) : ()),
($trusted_ca_path ? (SSL_ca_path => $trusted_ca_path) : ()),
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => '5'
);
unless ($ssl_socket) {
......@@ -121,7 +120,8 @@ sub get_https {
return (@result);
}
# request a document using https, return status and content
# Requests a document using https, returns status and content.
# NEVER USED.
sub get_https2 {
my $host = shift;
my $port = shift;
......
......@@ -1135,8 +1135,8 @@ sub check_smime_signature {
# First step is to check if message signing is OK.
my $smime = Crypt::SMIME->new;
eval { # Crypt::SMIME >= 0.15 is required.
$smime->setPublicKeyStore(grep { defined $_ }
($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
$smime->setPublicKeyStore(grep { defined $_ and length $_ }
($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
};
unless (eval { $smime->check($self->as_string) }) {
$log->syslog('err', '%s: Unable to verify S/MIME signature: %s',
......
......@@ -334,33 +334,19 @@ sub GetLdapParameter {
sub initialize_ldap {
if ($ldap_ssl eq '1') {
if ($ldap_cachain) {
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => 'require',
sslversion => $ldap_ssl_version,
cafile => $ldap_cachain
)
) {
print STDERR
"Can't connect to LDAP server using SSL or unable to verify Server certificate for $ldap_host: $EVAL_ERROR\n";
return 0;
}
} else {
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => 'none',
sslversion => $ldap_ssl_version
)
) {
print STDERR
"Can't connect to LDAP server using SSL for $ldap_host: $EVAL_ERROR\n";
return 0;
}
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => ($ldap_cachain ? 'require' : 'none'),
sslversion => $ldap_ssl_version,
($ldap_cachain ? (cafile => $ldap_cachain) : ())
)
) {
printf STDERR
"Can't connect to LDAP server using SSL or unable to verify Server certificate for %s: %s\n",
$ldap_host, $EVAL_ERROR;
return 0;
}
} else {
unless ($ldap_connection = Net::LDAP->new($ldap_host, version => 3)) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment