From: "brian m. carlson" <sandals@crustytoothpaste.net>
To: "Torsten Bögershausen" <tboegi@web.de>
Cc: Ramkumar Ramachandra <artagnon@gmail.com>,
Git List <git@vger.kernel.org>,
Junio C Hamano <gitster@pobox.com>
Subject: [PATCH] send-email: improve SSL certificate verification
Date: Tue, 16 Jul 2013 00:15:06 +0000 [thread overview]
Message-ID: <20130716001506.GG11097@vauxhall.crustytoothpaste.net> (raw)
In-Reply-To: <51E3677D.6040903@web.de>
The SSL and TLS code for SMTP is non-trivial, so refactor it into a separate
function for ease of use. Handle both files and directories as sources for CA
certificates. Also add handling for older version of IO::Socket::SSL that do
not support the SSL_VERIFY_PEER and SSL_VERIFY_NONE constants; in this case,
print a warning and inform the user of this fact.
Signed-off-by: brian m. carlson <sandals@crustytoothpaste.net>
---
This is completely untested. I used perl -c, but that's it.
git-send-email.perl | 50 ++++++++++++++++++++++++++++++++++++--------------
1 file changed, 36 insertions(+), 14 deletions(-)
diff --git a/git-send-email.perl b/git-send-email.perl
index 095b6fb..11fb2d0 100755
--- a/git-send-email.perl
+++ b/git-send-email.perl
@@ -1083,6 +1083,37 @@ sub smtp_auth_maybe {
return $auth;
}
+sub ssl_verify_params {
+ require IO::Socket::SSL;
+ eval {
+ IO::Socket::SSL->import(qw/SSL_VERIFY_PEER SSL_VERIFY_NONE/);
+ };
+ if ($@) {
+ print STDERR "Not using SSL_VERIFY_PEER due to out-of-date IO::Socket::SSL.\n";
+ return;
+ }
+
+ if (!defined $smtp_ssl_cert_path) {
+ $smtp_ssl_cert_path ||= "/etc/ssl/certs";
+ }
+
+ if (!$smtp_ssl_cert_path) {
+ return (SSL_verify_mode => SSL_VERIFY_NONE());
+ }
+ elsif (-d $smtp_ssl_cert_path) {
+ return (SSL_verify_mode => SSL_VERIFY_PEER(),
+ SSL_ca_path => $smtp_ssl_cert_path);
+ }
+ elsif (-f $smtp_ssl_cert_path) {
+ return (SSL_verify_mode => SSL_VERIFY_PEER(),
+ SSL_ca_file => $smtp_ssl_cert_path);
+ }
+ else {
+ print STDERR "Not using SSL_VERIFY_PEER because the CA path does not exist.\n";
+ return (SSL_verify_mode => SSL_VERIFY_NONE());
+ }
+}
+
# Returns 1 if the message was sent, and 0 otherwise.
# In actuality, the whole program dies when there
# is an error sending a message.
@@ -1187,7 +1218,8 @@ X-Mailer: git-send-email $gitversion
$smtp_domain ||= maildomain();
$smtp ||= Net::SMTP::SSL->new($smtp_server,
Hello => $smtp_domain,
- Port => $smtp_server_port);
+ Port => $smtp_server_port,
+ ssl_verify_params());
}
else {
require Net::SMTP;
@@ -1203,19 +1235,9 @@ X-Mailer: git-send-email $gitversion
$smtp->command('STARTTLS');
$smtp->response();
if ($smtp->code == 220) {
- # Attempt to use a ca-certificate by default
- $smtp_ssl_cert_path |= "/etc/ssl/certs";
- if (-d $smtp_ssl_cert_path) {
- $smtp = Net::SMTP::SSL->start_SSL($smtp,
- SSL_verify_mode => SSL_VERIFY_PEER,
- SSL_ca_path => $smtp_ssl_cert_path)
- or die "STARTTLS failed! ".$smtp->message;
- } else {
- print STDERR "warning: Using SSL_VERIFY_NONE. See sendemail.smtpsslcertpath.\n";
- $smtp = Net::SMTP::SSL->start_SSL($smtp,
- SSL_verify_mode => SSL_VERIFY_NONE)
- or die "STARTTLS failed! ".$smtp->message;
- }
+ $smtp = Net::SMTP::SSL->start_SSL($smtp,
+ ssl_verify_params())
+ or die "STARTTLS failed! ".$smtp->message;
$smtp_encryption = '';
# Send EHLO again to receive fresh
# supported commands
--
1.8.3.2.923.g2a18ff8.dirty
--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
next prev parent reply other threads:[~2013-07-16 0:15 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-05 12:05 [PATCH v2 0/2] Squelch warning from send-email Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 1/2] send-email: squelch warning from Net::SMTP::SSL Ramkumar Ramachandra
2013-07-06 14:28 ` Torsten Bögershausen
2013-07-06 14:32 ` brian m. carlson
2013-07-06 15:49 ` Torsten Bögershausen
2013-07-14 13:49 ` Ramkumar Ramachandra
2013-07-14 17:03 ` brian m. carlson
2013-07-14 21:49 ` Ramkumar Ramachandra
2013-07-15 3:07 ` Torsten Bögershausen
2013-07-15 4:15 ` Junio C Hamano
2013-07-16 0:15 ` brian m. carlson [this message]
2013-07-16 2:33 ` [PATCH] send-email: improve SSL certificate verification Torsten Bögershausen
2013-07-16 2:35 ` brian m. carlson
2013-07-18 16:53 ` Re* " Junio C Hamano
2013-07-18 17:36 ` Ramkumar Ramachandra
2013-07-05 12:05 ` [PATCH v2 2/2] send-email: introduce sendemail.smtpsslcertpath Ramkumar Ramachandra
2013-07-05 12:33 ` Eric Sunshine
2013-07-05 12:36 ` Ramkumar Ramachandra
2013-07-05 12:45 ` brian m. carlson
2013-07-05 12:53 ` Ramkumar Ramachandra
2013-07-05 13:01 ` brian m. carlson
2013-07-05 17:20 ` Junio C Hamano
2013-07-05 17:47 ` John Keeping
2013-07-05 18:30 ` Junio C Hamano
2013-07-05 18:43 ` John Keeping
2013-07-06 6:25 ` Junio C Hamano
2013-07-06 11:46 ` John Keeping
2013-07-07 4:12 ` Junio C Hamano
2013-07-07 9:02 ` John Keeping
2013-07-05 20:29 ` brian m. carlson
2013-07-07 5:54 ` Jeff King
2013-07-07 10:01 ` Junio C Hamano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: http://vger.kernel.org/majordomo-info.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130716001506.GG11097@vauxhall.crustytoothpaste.net \
--to=sandals@crustytoothpaste.net \
--cc=artagnon@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitster@pobox.com \
--cc=tboegi@web.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://80x24.org/mirrors/git.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).