Bug#735422: LWP::UserAgent: strange behavior of CA cert paths
Vincent Lefevre
vincent at vinc17.net
Wed Jan 15 09:51:17 UTC 2014
Package: libwww-perl
Version: 6.05-2
Severity: normal
It's strange that only the last one works (twitget is just a program
that uses Net::Twitter with SSL):
$ env -u PERL_LWP_SSL_CA_PATH HTTPS_CA_DIR=/home/vinc17/wd/config/cacert:/etc/ssl/certs twitget
500 SSL_ca_path /home/vinc17/wd/config/cacert:/etc/ssl/certs does not exist at /home/vinc17/bin/twitget line 112zsh: exit 2 env -u PERL_LWP_SSL_CA_PATH twitget
$ env -u HTTPS_CA_DIR PERL_LWP_SSL_CA_PATH=/home/vinc17/wd/config/cacert:/etc/ssl/certs twitget
500 SSL_ca_path /home/vinc17/wd/config/cacert:/etc/ssl/certs does not exist at /home/vinc17/bin/twitget line 112zsh: exit 2 env -u HTTPS_CA_DIR twitget
$ env PERL_LWP_SSL_CA_PATH=/does-not-exist HTTPS_CA_DIR=/home/vinc17/wd/config/cacert:/etc/ssl/certs twitget
500 SSL_ca_path /does-not-exist does not exist at /home/vinc17/bin/twitget line 112zsh: exit 2 env PERL_LWP_SSL_CA_PATH=/does-not-exist twitget
$ env -u HTTPS_CA_DIR PERL_LWP_SSL_CA_PATH=/ twitget
500 Can't connect to api.twitter.com:443 (certificate verify failed) at /home/vinc17/bin/twitget line 112zsh: exit 255 env -u HTTPS_CA_DIR PERL_LWP_SSL_CA_PATH=/ twitget
$ env PERL_LWP_SSL_CA_PATH=/ HTTPS_CA_DIR=/home/vinc17/wd/config/cacert:/etc/ssl/certs twitget
[works]
In short, if PERL_LWP_SSL_CA_PATH is set to some existing directory
but the certificate isn't found there:
* if HTTPS_CA_DIR isn't set, there's a failure, but
* if HTTPS_CA_DIR is set to something regarded as invalid (see
the "does not exist" error in the first test), then the failure
disappears!
Something seems to be buggy in the error checking.
Some more tests:
$ env -u PERL_LWP_SSL_CA_PATH HTTPS_CA_DIR=/home/vinc17/wd/config/cacert twitget
[works]
$ env -u HTTPS_CA_DIR PERL_LWP_SSL_CA_PATH=/home/vinc17/wd/config/cacert twitget
500 Can't connect to api.twitter.com:443 (certificate verify failed) at /home/vinc17/bin/twitget line 112zsh: exit 255 env -u HTTPS_CA_DIR PERL_LWP_SSL_CA_PATH=/home/vinc17/wd/config/cacert twitge
And these two tests show that HTTPS_CA_DIR and PERL_LWP_SSL_CA_PATH
are not handled in the same way. HTTPS_CA_DIR seems to fall back to
the default (which is fine), but not PERL_LWP_SSL_CA_PATH.
More generally, PERL_LWP_SSL_CA and HTTPS_CA_DIR should accept paths
with several directories (just like curl's --capath option), but this
may actually be a problem with other modules.
Being able to provide several directories or fall back to the default
is useful so that the end user can provide additional CA certs not
recognized by Debian (at the system level). Currently, setting
HTTPS_CA_DIR to the user's directory and having PERL_LWP_SSL_CA
undefined seems to work (but not the other way round).
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libwww-perl depends on:
ii ca-certificates 20130906
ii libencode-locale-perl 1.03-1
ii libfile-listing-perl 6.04-1
ii libhtml-parser-perl 3.71-1+b1
ii libhtml-tagset-perl 3.20-2
ii libhtml-tree-perl 5.03-1
ii libhttp-cookies-perl 6.00-2
ii libhttp-date-perl 6.02-1
ii libhttp-message-perl 6.06-1
ii libhttp-negotiate-perl 6.00-2
ii liblwp-mediatypes-perl 6.02-1
ii liblwp-protocol-https-perl 6.04-2
ii libnet-http-perl 6.06-1
ii liburi-perl 1.60-1
ii libwww-robotrules-perl 6.01-1
ii netbase 5.2
ii perl 5.18.1-5
Versions of packages libwww-perl recommends:
ii libhtml-form-perl 6.03-1
ii libhtml-format-perl 2.11-1
ii libhttp-daemon-perl 6.01-1
ii libmailtools-perl 2.12-1
Versions of packages libwww-perl suggests:
ii libauthen-ntlm-perl 1.09-1
-- no debconf information
More information about the pkg-perl-maintainers
mailing list