From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 7/8] ids-functions.pl: Adjust code to deal with new
 LWP::UserAgent.
Date: Sat, 05 Feb 2022 12:26:19 +0000
Message-ID: <5a7d2d5d-e3e9-14fd-77a1-0625e1029288@ipfire.org>
In-Reply-To: <20220203111613.13632-7-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3279557777050454375=="
List-Id: <development.lists.ipfire.org>

--===============3279557777050454375==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Interesting to see this requires certificate validation to be actively enable=
d.
I wonder how many Perl projects using LWP are vulnerable to TLS interception =
by
self-signed/untrusted certificates... :-/

Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/cfgroot/ids-functions.pl | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>=20
> diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions=
.pl
> index 74d55def6..bf02bcbaa 100644
> --- a/config/cfgroot/ids-functions.pl
> +++ b/config/cfgroot/ids-functions.pl
> @@ -281,7 +281,15 @@ sub downloadruleset ($) {
>  	use LWP::UserAgent;
> =20
>  	# Init the download module.
> -	my $downloader =3D LWP::UserAgent->new;
> +	#
> +	# Request SSL hostname verification and specify path
> +	# to the CA file.
> +	my $downloader =3D LWP::UserAgent->new(
> +		ssl_opts =3D> {
> +			SSL_ca_file     =3D> '/etc/ssl/cert.pem',
> +			verify_hostname =3D> 1,
> +		}
> +	);
> =20
>  	# Set timeout to 10 seconds.
>  	$downloader->timeout(10);

--===============3279557777050454375==--