elasticsearch-perl icon indicating copy to clipboard operation
elasticsearch-perl copied to clipboard

Published 20 hours ago verified publisher icon elastic

Please verify SSL server identity by default

Open fschlich opened this issue 3 years ago • 1 comments

I'm forwarding Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954111

The reporter notes that Your package uses the Perl module HTTP::Tiny, but it does not force the verify_SSL attribute to a true value. ... I believe that the encryption of a transmission has no value when talking to the wrong person.

While you document in Search::Elasticsearch::Cxn::HTTPTiny how to turn on remote host verification, would you consider switching the default to always verify https connections (and perhaps giving your user the option to turn verification back off should this really be needed)?

fschlich avatar Sep 05 '21 14:09 fschlich

@fschlich thanks for reporting this. I'll work on a PR to enable SSL verification by default.

ezimuel avatar Oct 20 '21 09:10 ezimuel

This has been fixed in HTTP-Tiny ver. 0.083

ezimuel avatar Jan 17 '24 21:01 ezimuel