Bug#746579: libwww-perl: HTTPS_CA_DIR or HTTPS_CA_FILE disables peer certificate verification for IO::Socket::SSL
Jakub Wilk
jwilk at debian.org
Fri May 2 13:44:01 UTC 2014
* Jakub Wilk <jwilk at debian.org>, 2014-05-01, 17:24:
>If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
>setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
>server cerificate verification:
This is what's going on:
In LWP::UserAgent we have this:
elsif ($ENV{HTTPS_CA_FILE} || $ENV{HTTPS_CA_DIR}) {
# Crypt-SSLeay compatibility (verify peer certificate; but not the hostname)
$ssl_opts->{verify_hostname} = 0;
$ssl_opts->{SSL_verify_mode} = 1;
}
But in LWP::Protocol::HTTPS we have this:
if (delete $ssl_opts{verify_hostname}) {
$ssl_opts{SSL_verify_mode} ||= 1;
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
$ssl_opts{SSL_verify_mode} = 0;
}
So the intention was to disable only hostname verification, for
compatibility with Crypt::SSLeay (why?!), but the effect is that the
SSL_verify_mode is set to 0.
--
Jakub Wilk
More information about the pkg-perl-maintainers
mailing list