Please verify SSL server identity by default

Question

Please verify SSL server identity by default

Closed this issue a year ago · 2 comments

I'm forwarding Debian bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954111

The reporter notes that Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value. ... I believe that the encryption of a transmission has no value when
talking to the wrong person.

While you document in Search::Elasticsearch::Cxn::HTTPTiny how to turn on remote host verification, would you consider switching the default to always verify https connections (and perhaps giving your user the option to turn verification back off should this really be needed)?

Answer 1 · 2021-10-20T09:14:02.000Z

@fschlich thanks for reporting this. I'll work on a PR to enable SSL verification by default.

Answer 2 · 2024-01-17T21:26:04.000Z

This has been fixed in HTTP-Tiny ver. 0.083