<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
On Mon, 03 Sep 2018 06:03:51 +0000 Slaven Rezic
<a class="moz-txt-link-rfc2396E" href="mailto:slaven@rezic.de"><slaven@rezic.de></a> wrote:<br>
> Package: liblwp-protocol-https-perl<br>
> Version: 6.06-2<br>
> Severity: normal<br>
> <br>
> Dear Maintainer,<br>
> <br>
> to disable hostname verification in https requests one would
set ssl_opts'<br>
> verify_hostname to a false value. However, this does not work:<br>
> <br>
> $ perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new;
$ua->ssl_opts(verify_hostname=>0); $res =
$ua->get(<a class="moz-txt-link-rfc2396E" href="https://www.dwd.de">"https://www.dwd.de"</a>); warn $res->as_string' <br>
> 500 Can't connect to <a class="moz-txt-link-abbreviated" href="http://www.dwd.de:443">www.dwd.de:443</a> (certificate verify failed)<br>
> Content-Type: text/plain<br>
> Client-Date: Mon, 03 Sep 2018 05:58:34 GMT<br>
> Client-Warning: Internal response<br>
> <br>
> Can't connect to <a class="moz-txt-link-abbreviated" href="http://www.dwd.de:443">www.dwd.de:443</a> (certificate verify failed)<br>
> <br>
> SSL connect attempt failed error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 47.<br>
> <br>
> With a self-compiled perl and modules installed from CPAN this
works as expected<br>
> (in this case there's no artificial 500 response, but a 403
Forbidden response).<br>
> <br>
> I found out that it's possible to workaround the issue with<br>
> Debian's perl by setting SSL_verify_mode:<br>
> <br>
> $ perl -MIO::Socket::SSL=SSL_VERIFY_NONE -MLWP::UserAgent -e
'$ua=LWP::UserAgent->new; $ua->ssl_opts(SSL_verify_mode =>
SSL_VERIFY_NONE, verify_hostname => 0); $res =
$ua->get(<a class="moz-txt-link-rfc2396E" href="https://www.dwd.de">"https://www.dwd.de"</a>); warn $res->as_string'<br>
> <br>
> The issue is still present on Ubuntu 18.04 which has a newer<br>
> version of liblwp-protocol-https-perl. I also don't know if the<br>
> problem lies in LWP, LWP::Protocol::https, IO::Socket::SSL,<br>
> <a class="moz-txt-link-freetext" href="Net::SSLeay">Net::SSLeay</a>, or any other module.<br>
> <br>
> -- System Information:<br>
> Debian Release: 9.5<br>
> APT prefers stable-updates<br>
> APT policy: (500, 'stable-updates'), (500, 'stable')<br>
> Architecture: amd64 (x86_64)<br>
> <br>
> Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)<br>
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C
(charmap=ANSI_X3.4-1968)<br>
> Shell: /bin/sh linked to /bin/dash<br>
> Init: systemd (via /run/systemd/system)<br>
> <br>
> Versions of packages liblwp-protocol-https-perl depends on:<br>
> ii ca-certificates 20161130+nmu1+deb9u1<br>
> ii libio-socket-ssl-perl 2.044-1<br>
> ii libnet-http-perl 6.12-1<br>
> ii libwww-perl 6.15-1<br>
> ii perl 5.24.1-3+deb9u4<br>
> <br>
> liblwp-protocol-https-perl recommends no packages.<br>
> <br>
> Versions of packages liblwp-protocol-https-perl suggests:<br>
> pn libcrypt-ssleay-perl <none><br>
> <br>
> -- no debconf information<br>
> <br>
> <br>
<p>The problem still exists in debian/testing (libwww-perl 6.50 +
liblwp-protocol-https-perl 6.09-1 installed here):</p>
<pre>perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(verify_hostname=>0); $res = $ua->get(<a class="moz-txt-link-rfc2396E" href="https://quartier-heidestrasse.contempo-webcam.de/">"https://quartier-heidestrasse.contempo-webcam.de/"</a>); warn $res->as_string'
500 Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate verify failed)
Content-Type: text/plain
Client-Date: Sat, 02 Jan 2021 09:23:22 GMT
Client-Warning: Internal response
Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate verify failed)
SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 50.
</pre>
</body>
</html>