diff options
| author | sunnavy <sunnavy@bestpractical.com> | 2022-02-15 00:47:58 +0300 |
|---|---|---|
| committer | sunnavy <sunnavy@bestpractical.com> | 2022-02-15 01:02:37 +0300 |
| commit | a1e0dcd2bf427c3bb739a5587df7bafeda988f95 (patch) | |
| tree | be68e1a1f29af4e0643ebcdbb6056ddcb8c4aee6 | |
| parent | e09e4c28d694aedf44311b1a7b28dcbea4d740f0 (diff) | |
Explicitly set SSL_verify_mode in mailgate4.4/mailgate-set-ssl-verify-mode
This is mainly to disable certificate verification when --no-verify-ssl
is passed. LWP::Protocol::https automatically does this if you install
it from CPAN, but Linux vendors removed this automation to fix a
security issue, see also:
https://rt.cpan.org/Public/Bug/Display.html?id=81948
https://ubuntu.com/security/CVE-2014-3230
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
Without this, you could get the following error when using system perl
even if --no-verify-ssl is passed:
Can't connect to ... (certificate verify failed)
| -rw-r--r-- | bin/rt-mailgate.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/bin/rt-mailgate.in b/bin/rt-mailgate.in index cd2b2b9fb6..5e2928858e 100644 --- a/bin/rt-mailgate.in +++ b/bin/rt-mailgate.in @@ -154,7 +154,7 @@ sub get_useragent { $ua->agent("rt-mailgate/@RT_VERSION_MAJOR@.@RT_VERSION_MINOR@.@RT_VERSION_PATCH@ "); $ua->cookie_jar( { file => $opts->{'jar'} } ) if $opts->{'jar'}; - $ua->ssl_opts( verify_hostname => $opts->{'verify-ssl'} ); + $ua->ssl_opts( verify_hostname => $opts->{'verify-ssl'}, SSL_verify_mode => $opts->{'verify-ssl'} ); $ua->ssl_opts( SSL_ca_file => $opts->{'ca-file'} ) if $opts->{'ca-file'}; |