Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work
Slaven Rezic
slaven at rezic.de
Tue Jul 11 07:14:53 BST 2023
09. 07. 2023. u 20:43, gregor herrmann piše:
> On Sat, 02 Jan 2021 10:24:52 +0100, Slaven Rezic wrote:
>
>> The problem still exists in debian/testing (libwww-perl 6.50 +
>> liblwp-protocol-https-perl 6.09-1 installed here):
>>
>> perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(verify_hostname=>0); $res = $ua->get("https://quartier-heidestrasse.contempo-webcam.de/"); warn $res->as_string'
>> 500 Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate verify failed)
>> Content-Type: text/plain
>> Client-Date: Sat, 02 Jan 2021 09:23:22 GMT
>> Client-Warning: Internal response
>>
>> Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate verify failed)
>>
>> SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.
> I just tried your example and I don't get any errors.
>
> This is in today's unstable with libwww-perl/6.71-2 and
> liblwp-protocol-https-perl 6.10-1.
>
> Could you please try as well?
>
> (Please note that I'm about to upload
> liblwp-protocol-https-perl/6.11-1 to unstable).
Confirmed. The former examples cannot be used anymore to prove the
problem, as the used websites fixed their certificates in the meantime.
But you can use something like "https://bla.bla.bing.com" which now
works if verify_hostname=>0 is set. Tried on debian:stretch and
debian:bookworm.
Regards, Slaven
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20230711/af27af95/attachment-0001.htm>
More information about the pkg-perl-maintainers
mailing list