Skip to content
GitLab
Commit ed42d535 authored by IKEDA Soji's avatar IKEDA Soji
Browse files

[bug] If "cafile" and/or "capath" configuration parameters were not set, undef... 

[bug] If "cafile" and/or "capath" configuration parameters were not set, undef were passed to IO::Socket::SSL, and therefore system defaults were disabled.
Fixed by not passing undef when these parameters are not set so that system defaults will be used.
parent 7df43edf
Hide whitespace changes
Inline Side-by-side
src/lib/Conf.pm
View file @ ed42d535
......@@ -825,20 +825,20 @@ sub checkfiles {
}
}
## Check cafile and capath access
if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
$log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
$config_err++;
}
}
if (defined $Conf{'capath'} && $Conf{'capath'}) {
unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
$log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
$config_err++;
}
}
### Check cafile and capath access
#if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
# unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
# $log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
# $config_err++;
# }
#}
#if (defined $Conf{'capath'} && $Conf{'capath'}) {
# unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
# $log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
# $config_err++;
# }
#}
# Check if directory parameters point to the same directory.
my @keys = qw(bounce_path etc home
......@@ -1907,11 +1907,11 @@ sub _infer_server_specific_parameter_values {
$param->{'config_hash'}{'robot_name'} = '';
unless ((defined $param->{'config_hash'}{'cafile'})
|| (defined $param->{'config_hash'}{'capath'})) {
$param->{'config_hash'}{'cafile'} =
Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
}
#unless (defined $param->{'config_hash'}{'cafile'}
# or defined $param->{'config_hash'}{'capath'}) {
# $param->{'config_hash'}{'cafile'} =
# Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
#}
unless (
Sympa::Tools::Data::smart_eq(
......
src/lib/Sympa/DatabaseDriver/LDAP.pm
View file @ ed42d535
......@@ -87,13 +87,19 @@ sub _connect {
# However, recent releases won't: They simply deny connection.
# As a workaround, make ca_file or ca_path parameter mandatory unless
# "none" is explicitly assigned to ca_verify parameter.
unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
unless ($self->{ca_file} or $self->{ca_path}) {
$log->syslog('err',
'Neither ca_file nor ca_path parameter is specified');
return undef;
}
}
#
# Update on 6.2.23b.2: If CAfile or CApath is not specified, system
# default will be used, but if undef was specified, system default
# would be disabled. Now undef won't be specified and the check below
# is useless.
#unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
# unless ($self->{ca_file} or $self->{ca_path}) {
# $log->syslog('err',
# 'Neither ca_file nor ca_path parameter is specified');
# return undef;
# }
#}
}
# new() with multiple alternate hosts needs perl-ldap >= 0.27.
......@@ -105,8 +111,8 @@ sub _connect {
: ($self->{ca_verify} eq 'required') ? 'require'
: $self->{ca_verify}
),
capath => $self->{'ca_path'},
cafile => $self->{'ca_file'},
($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
sslversion => $self->{'ssl_version'},
ciphers => $self->{'ssl_ciphers'},
clientcert => $self->{'ssl_cert'},
......@@ -132,8 +138,8 @@ sub _connect {
: ($self->{ca_verify} eq 'required') ? 'require'
: $self->{ca_verify}
),
capath => $self->{'ca_path'},
cafile => $self->{'ca_file'},
($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
sslversion => $self->{'ssl_version'},
ciphers => $self->{'ssl_ciphers'},
clientcert => $self->{'ssl_cert'},
......
src/lib/Sympa/Fetch.pm
View file @ ed42d535
......@@ -26,12 +26,14 @@ package Sympa::Fetch;
use strict;
use warnings;
BEGIN { eval 'use IO::Socket::SSL'; }
BEGIN { eval 'use LWP::UserAgent'; }
use Sympa::Log;
my $log = Sympa::Log->instance;
# request a document using https, return status and content
# Requests a document using https, returns status and content.
sub get_https {
$log->syslog('debug2', '(%s, %s, %s, %s, %s, %s)', @_);
my $host = shift;
......@@ -45,28 +47,25 @@ sub get_https {
my $trusted_ca_file = $ssl_data->{'cafile'};
my $trusted_ca_path = $ssl_data->{'capath'};
unless (-r ($trusted_ca_file) || (-d $trusted_ca_path)) {
$log->syslog('err',
"error : incorrect access to cafile $trusted_ca_file bor capath $trusted_ca_path"
);
return undef;
}
#unless (-r $trusted_ca_file or -d $trusted_ca_path) {
# $log->syslog('err', 'Incorrect access to cafile %s or capath %s',
# $trusted_ca_file, $trusted_ca_path);
# return undef;
#}
unless (eval "require IO::Socket::SSL") {
unless ($IO::Socket::SSL::VERSION) {
$log->syslog('err',
"Unable to use SSL library, IO::Socket::SSL required, install IO-Socket-SSL (CPAN) first"
'Unable to use SSL library, IO::Socket::SSL required, install it first'
);
return undef;
}
require IO::Socket::SSL;
unless (eval "require LWP::UserAgent") {
unless ($LWP::UserAgent::VERSION) {
$log->syslog('err',
"Unable to use LWP library, LWP::UserAgent required, install LWP (CPAN) first"
'Unable to use LWP library, LWP::UserAgent required, install it first'
);
return undef;
}
require LWP::UserAgent;
my $ssl_socket;
......@@ -76,12 +75,12 @@ sub get_https {
SSL_cert_file => $client_cert,
SSL_key_file => $client_key,
SSL_passwd_cb => sub { return ($key_passwd) },
SSL_ca_file => $trusted_ca_file,
SSL_ca_path => $trusted_ca_path,
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => '5'
($trusted_ca_file ? (SSL_ca_file => $trusted_ca_file) : ()),
($trusted_ca_path ? (SSL_ca_path => $trusted_ca_path) : ()),
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => '5'
);
unless ($ssl_socket) {
......@@ -121,7 +120,8 @@ sub get_https {
return (@result);
}
# request a document using https, return status and content
# Requests a document using https, returns status and content.
# NEVER USED.
sub get_https2 {
my $host = shift;
my $port = shift;
......
src/lib/Sympa/Message.pm
View file @ ed42d535
......@@ -1135,8 +1135,8 @@ sub check_smime_signature {
# First step is to check if message signing is OK.
my $smime = Crypt::SMIME->new;
eval { # Crypt::SMIME >= 0.15 is required.
$smime->setPublicKeyStore(grep { defined $_ }
($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
$smime->setPublicKeyStore(grep { defined $_ and length $_ }
($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
};
unless (eval { $smime->check($self->as_string) }) {
$log->syslog('err', '%s: Unable to verify S/MIME signature: %s',
......
src/libexec/ldap_alias_manager.pl.in
View file @ ed42d535
......@@ -334,33 +334,19 @@ sub GetLdapParameter {
sub initialize_ldap {
if ($ldap_ssl eq '1') {
if ($ldap_cachain) {
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => 'require',
sslversion => $ldap_ssl_version,
cafile => $ldap_cachain
)
) {
print STDERR
"Can't connect to LDAP server using SSL or unable to verify Server certificate for $ldap_host: $EVAL_ERROR\n";
return 0;
}
} else {
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => 'none',
sslversion => $ldap_ssl_version
)
) {
print STDERR
"Can't connect to LDAP server using SSL for $ldap_host: $EVAL_ERROR\n";
return 0;
}
unless (
$ldap_connection = Net::LDAPS->new(
$ldap_host,
version => 3,
verify => ($ldap_cachain ? 'require' : 'none'),
sslversion => $ldap_ssl_version,
($ldap_cachain ? (cafile => $ldap_cachain) : ())
)
) {
printf STDERR
"Can't connect to LDAP server using SSL or unable to verify Server certificate for %s: %s\n",
$ldap_host, $EVAL_ERROR;
return 0;
}
} else {
unless ($ldap_connection = Net::LDAP->new($ldap_host, version => 3)) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment