aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-12-13 16:00:53 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-12-13 16:00:53 +0100
commitf3f064a4e0e74088daea091bc62a8141f0e6c0bb (patch)
tree5015c65fceb66c18a73e5402ef548ef4de284c77 /lib
parentb70d9b261a6d2849efeb670b53e0ab726a58fb59 (diff)
Explicitly set SSL_verify=1 (default) only once.
Diffstat (limited to 'lib')
-rw-r--r--lib/Net/IMAP/InterIMAP.pm7
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/Net/IMAP/InterIMAP.pm b/lib/Net/IMAP/InterIMAP.pm
index 3745aad..5bdd954 100644
--- a/lib/Net/IMAP/InterIMAP.pm
+++ b/lib/Net/IMAP/InterIMAP.pm
@@ -1641,7 +1641,7 @@ sub _ssl_verify($$$) {
$self->log(' Subject Name: ', Net::SSLeay::X509_NAME_oneline(Net::SSLeay::X509_get_subject_name($cert)));
}
- $ok = 1 unless $self->{SSL_verify} // 1;
+ $ok = 1 unless $self->{SSL_verify} // die; # safety check, always set
if ($depth == 0 and !exists $self->{_SSL_PEER_VERIFIED}) {
if ($self->{debug}) {
my $algo = 'sha256';
@@ -1705,6 +1705,7 @@ my %SSL_protocol_versions = (
sub _start_ssl($$) {
my ($self, $socket) = @_;
my $ctx = Net::SSLeay::CTX_new() or $self->panic("SSL_CTX_new(): $!");
+ $self->{SSL_verify} //= 1; # default is to perform certificate verification
if (defined $self->{_OUTBUF} and $self->{_OUTBUF} ne '') {
$self->warn("Truncating non-empty output buffer (unauthenticated response injection?)");
@@ -1770,7 +1771,7 @@ sub _start_ssl($$) {
my $host = $self->{host} // $self->panic();
my ($hostip, $hostipfam) = _parse_hostip($host);
- if ($self->{SSL_verify} // 1) {
+ if ($self->{SSL_verify}) {
# for X509_VERIFY_PARAM_set1_{ip,host}()
$self->panic("Failed requirement libssl >=1.0.2") if $OPENSSL_VERSION < 0x1000200f;
@@ -1811,7 +1812,7 @@ sub _start_ssl($$) {
$self->_ssl_error("Can't initiate TLS/SSL handshake") unless Net::SSLeay::connect($ssl) == 1;
$self->panic() unless $self->{_SSL_PEER_VERIFIED}; # sanity check
- $self->panic() if ($self->{SSL_verify} // 1) and Net::SSLeay::get_verify_result($ssl) != Net::SSLeay::X509_V_OK();
+ $self->panic() if $self->{SSL_verify} and Net::SSLeay::get_verify_result($ssl) != Net::SSLeay::X509_V_OK();
Net::SSLeay::X509_VERIFY_PARAM_free($vpm);
if ($self->{debug}) {