[bug] If "cafile" and/or "capath" configuration parameters were not s…

…et, undef were passed to IO::Socket::SSL, and therefore system defaults were disabled. Fixed by not passing undef when these parameters are not set so that system defaults will be used.
sympa-community · Nov 27, 2017 · ed42d53 · ed42d53
1 parent 7df43ed
commit ed42d53
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 79 deletions.
diff --git a/src/lib/Conf.pm b/src/lib/Conf.pm
@@ -825,20 +825,20 @@ sub checkfiles {
         }
     }
 
-    ## Check cafile and capath access
-    if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
-        unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
-            $log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
-            $config_err++;
-        }
-    }
-
-    if (defined $Conf{'capath'} && $Conf{'capath'}) {
-        unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
-            $log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
-            $config_err++;
-        }
-    }
+    ### Check cafile and capath access
+    #if (defined $Conf{'cafile'} && $Conf{'cafile'}) {
+    #    unless (-f $Conf{'cafile'} && -r $Conf{'cafile'}) {
+    #        $log->syslog('err', 'Cannot access cafile %s', $Conf{'cafile'});
+    #        $config_err++;
+    #    }
+    #}
+
+    #if (defined $Conf{'capath'} && $Conf{'capath'}) {
+    #    unless (-d $Conf{'capath'} && -x $Conf{'capath'}) {
+    #        $log->syslog('err', 'Cannot access capath %s', $Conf{'capath'});
+    #        $config_err++;
+    #    }
+    #}
 
     # Check if directory parameters point to the same directory.
     my @keys = qw(bounce_path etc home
@@ -1907,11 +1907,11 @@ sub _infer_server_specific_parameter_values {
 
     $param->{'config_hash'}{'robot_name'} = '';
 
-    unless ((defined $param->{'config_hash'}{'cafile'})
-        || (defined $param->{'config_hash'}{'capath'})) {
-        $param->{'config_hash'}{'cafile'} =
-            Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
-    }
+    #unless (defined $param->{'config_hash'}{'cafile'}
+    #    or defined $param->{'config_hash'}{'capath'}) {
+    #    $param->{'config_hash'}{'cafile'} =
+    #        Sympa::Constants::DEFAULTDIR . '/ca-bundle.crt';
+    #}
 
     unless (
         Sympa::Tools::Data::smart_eq(

diff --git a/src/lib/Sympa/DatabaseDriver/LDAP.pm b/src/lib/Sympa/DatabaseDriver/LDAP.pm
@@ -87,13 +87,19 @@ sub _connect {
         # However, recent releases won't: They simply deny connection.
         # As a workaround, make ca_file or ca_path parameter mandatory unless
         # "none" is explicitly assigned to ca_verify parameter.
-        unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
-            unless ($self->{ca_file} or $self->{ca_path}) {
-                $log->syslog('err',
-                    'Neither ca_file nor ca_path parameter is specified');
-                return undef;
-            }
-        }
+        #
+        # Update on 6.2.23b.2: If CAfile or CApath is not specified, system
+        # default will be used, but if undef was specified, system default
+        # would be disabled. Now undef won't be specified and the check below
+        # is useless.
+
+        #unless ($self->{ca_verify} and $self->{ca_verify} eq 'none') {
+        #    unless ($self->{ca_file} or $self->{ca_path}) {
+        #        $log->syslog('err',
+        #            'Neither ca_file nor ca_path parameter is specified');
+        #        return undef;
+        #    }
+        #}
     }
 
     # new() with multiple alternate hosts needs perl-ldap >= 0.27.
@@ -105,8 +111,8 @@ sub _connect {
             : ($self->{ca_verify} eq 'required') ? 'require'
             :                                      $self->{ca_verify}
         ),
-        capath     => $self->{'ca_path'},
-        cafile     => $self->{'ca_file'},
+        ($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
+        ($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
         sslversion => $self->{'ssl_version'},
         ciphers    => $self->{'ssl_ciphers'},
         clientcert => $self->{'ssl_cert'},
@@ -132,8 +138,8 @@ sub _connect {
                 : ($self->{ca_verify} eq 'required') ? 'require'
                 :                                      $self->{ca_verify}
             ),
-            capath     => $self->{'ca_path'},
-            cafile     => $self->{'ca_file'},
+            ($self->{'ca_path'} ? (capath => $self->{'ca_path'}) : ()),
+            ($self->{'ca_file'} ? (cafile => $self->{'ca_file'}) : ()),
             sslversion => $self->{'ssl_version'},
             ciphers    => $self->{'ssl_ciphers'},
             clientcert => $self->{'ssl_cert'},

diff --git a/src/lib/Sympa/Fetch.pm b/src/lib/Sympa/Fetch.pm
@@ -26,12 +26,14 @@ package Sympa::Fetch;
 
 use strict;
 use warnings;
+BEGIN { eval 'use IO::Socket::SSL'; }
+BEGIN { eval 'use LWP::UserAgent'; }
 
 use Sympa::Log;
 
 my $log = Sympa::Log->instance;
 
-# request a document using https, return status and content
+# Requests a document using https, returns status and content.
 sub get_https {
     $log->syslog('debug2', '(%s, %s, %s, %s, %s, %s)', @_);
     my $host        = shift;
@@ -45,28 +47,25 @@ sub get_https {
     my $trusted_ca_file = $ssl_data->{'cafile'};
     my $trusted_ca_path = $ssl_data->{'capath'};
 
-    unless (-r ($trusted_ca_file) || (-d $trusted_ca_path)) {
-        $log->syslog('err',
-            "error : incorrect access to cafile $trusted_ca_file bor capath $trusted_ca_path"
-        );
-        return undef;
-    }
+    #unless (-r $trusted_ca_file or -d $trusted_ca_path) {
+    #    $log->syslog('err', 'Incorrect access to cafile %s or capath %s',
+    #        $trusted_ca_file, $trusted_ca_path);
+    #    return undef;
+    #}
 
-    unless (eval "require IO::Socket::SSL") {
+    unless ($IO::Socket::SSL::VERSION) {
         $log->syslog('err',
-            "Unable to use SSL library, IO::Socket::SSL required, install IO-Socket-SSL (CPAN) first"
+            'Unable to use SSL library, IO::Socket::SSL required, install it first'
         );
         return undef;
     }
-    require IO::Socket::SSL;
 
-    unless (eval "require LWP::UserAgent") {
+    unless ($LWP::UserAgent::VERSION) {
         $log->syslog('err',
-            "Unable to use LWP library, LWP::UserAgent required, install LWP (CPAN) first"
+            'Unable to use LWP library, LWP::UserAgent required, install it first'
         );
         return undef;
     }
-    require LWP::UserAgent;
 
     my $ssl_socket;
 
@@ -76,12 +75,12 @@ sub get_https {
         SSL_cert_file   => $client_cert,
         SSL_key_file    => $client_key,
         SSL_passwd_cb   => sub { return ($key_passwd) },
-        SSL_ca_file     => $trusted_ca_file,
-        SSL_ca_path     => $trusted_ca_path,
-        PeerAddr        => $host,
-        PeerPort        => $port,
-        Proto           => 'tcp',
-        Timeout         => '5'
+        ($trusted_ca_file ? (SSL_ca_file => $trusted_ca_file) : ()),
+        ($trusted_ca_path ? (SSL_ca_path => $trusted_ca_path) : ()),
+        PeerAddr => $host,
+        PeerPort => $port,
+        Proto    => 'tcp',
+        Timeout  => '5'
     );
 
     unless ($ssl_socket) {
@@ -121,7 +120,8 @@ sub get_https {
     return (@result);
 }
 
-# request a document using https, return status and content
+# Requests a document using https, returns status and content.
+# NEVER USED.
 sub get_https2 {
     my $host = shift;
     my $port = shift;

diff --git a/src/lib/Sympa/Message.pm b/src/lib/Sympa/Message.pm
@@ -1135,8 +1135,8 @@ sub check_smime_signature {
     # First step is to check if message signing is OK.
     my $smime = Crypt::SMIME->new;
     eval {    # Crypt::SMIME >= 0.15 is required.
-        $smime->setPublicKeyStore(grep { defined $_ }
-                ($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
+        $smime->setPublicKeyStore(grep { defined $_ and length $_ }
+            ($Conf::Conf{'cafile'}, $Conf::Conf{'capath'}));
     };
     unless (eval { $smime->check($self->as_string) }) {
         $log->syslog('err', '%s: Unable to verify S/MIME signature: %s',

diff --git a/src/libexec/ldap_alias_manager.pl.in b/src/libexec/ldap_alias_manager.pl.in
@@ -334,33 +334,19 @@ sub GetLdapParameter {
 sub initialize_ldap {
 
     if ($ldap_ssl eq '1') {
-        if ($ldap_cachain) {
-            unless (
-                $ldap_connection = Net::LDAPS->new(
-                    $ldap_host,
-                    version    => 3,
-                    verify     => 'require',
-                    sslversion => $ldap_ssl_version,
-                    cafile     => $ldap_cachain
-                )
-                ) {
-                print STDERR
-                    "Can't connect to LDAP server using SSL or unable to verify Server certificate for $ldap_host: $EVAL_ERROR\n";
-                return 0;
-            }
-        } else {
-            unless (
-                $ldap_connection = Net::LDAPS->new(
-                    $ldap_host,
-                    version    => 3,
-                    verify     => 'none',
-                    sslversion => $ldap_ssl_version
-                )
-                ) {
-                print STDERR
-                    "Can't connect to LDAP server using SSL for $ldap_host: $EVAL_ERROR\n";
-                return 0;
-            }
+        unless (
+            $ldap_connection = Net::LDAPS->new(
+                $ldap_host,
+                version    => 3,
+                verify     => ($ldap_cachain ? 'require' : 'none'),
+                sslversion => $ldap_ssl_version,
+                ($ldap_cachain ? (cafile => $ldap_cachain) : ())
+            )
+            ) {
+            printf STDERR
+                "Can't connect to LDAP server using SSL or unable to verify Server certificate for %s: %s\n",
+                $ldap_host, $EVAL_ERROR;
+            return 0;
         }
     } else {
         unless ($ldap_connection = Net::LDAP->new($ldap_host, version => 3)) {