Bug#748740: Does not work anymore with https servers that use selfsigned certificates
Jakub Wilk
jwilk at debian.org
Sun May 25 07:27:58 UTC 2014
[Just a random LWP/IO::Socket::SSL user here, not a maintainer of any of
the affected packages.]
* Klaus Ethgen <Klaus at Ethgen.de>, 2014-05-20, 11:40:
>The newest version of libwww-perl does not connect to https servers
>with selfsigned certificates anymore; even not with environment
>PERL_LWP_SSL_VERIFY_HOSTNAME set to 0.
It might be fallout after fixing #746579. See also upstream discussion:
https://github.com/libwww-perl/lwp-protocol-https/pull/14
(Yet, it's a complete mess.)
In another mail you wrote:
>Let me also add that setting the ssl_options never worked for me and
>only setting the related environment variable(s) works. So at the
>moment even "$ua->ssl_opts(SSL_verifycn_scheme => 'none');" does not
>let it work.
SSL_verifycn_scheme affects only checking if CN/subjectAltName match
hostname, not validity of the certificate itself. And if you're using
LWP then it doesn't affect anything, because LWP resets it for you. :|
This should completely disable certificate verification:
$ua->ssl_opts(
SSL_verify_mode => 0,
verify_hostname => 0,
);
>To be clear, I want to _have_ the hostname verified but _not have_ the
>certificate itself checked.
Hmm, that's an odd choice. Surely if you don't verify the peer
certificate, then anybody capable of MiTM can just forge a certificate
with any CN/subjectAltName they want.
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list