Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work

Slaven Rezic slaven at rezic.de
Mon Sep 3 07:03:51 BST 2018 

Package: liblwp-protocol-https-perl
Version: 6.06-2
Severity: normal

Dear Maintainer,

to disable hostname verification in https requests one would set ssl_opts'
verify_hostname to a false value. However, this does not work:

    $ perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(verify_hostname=>0); $res = $ua->get("https://www.dwd.de"); warn $res->as_string' 
    500 Can't connect to www.dwd.de:443 (certificate verify failed)
    Content-Type: text/plain
    Client-Date: Mon, 03 Sep 2018 05:58:34 GMT
    Client-Warning: Internal response
    
    Can't connect to www.dwd.de:443 (certificate verify failed)
    
    SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 47.

With a self-compiled perl and modules installed from CPAN this works as expected
(in this case there's no artificial 500 response, but a 403 Forbidden response).

I found out that it's possible to workaround the issue with
Debian's perl by setting SSL_verify_mode:

    $ perl -MIO::Socket::SSL=SSL_VERIFY_NONE -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(SSL_verify_mode => SSL_VERIFY_NONE, verify_hostname => 0); $res = $ua->get("https://www.dwd.de"); warn $res->as_string'

The issue is still present on Ubuntu 18.04 which has a newer
version of liblwp-protocol-https-perl. I also don't know if the
problem lies in LWP, LWP::Protocol::https, IO::Socket::SSL,
Net::SSLeay, or any other module.

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages liblwp-protocol-https-perl depends on:
ii  ca-certificates        20161130+nmu1+deb9u1
ii  libio-socket-ssl-perl  2.044-1
ii  libnet-http-perl       6.12-1
ii  libwww-perl            6.15-1
ii  perl                   5.24.1-3+deb9u4

liblwp-protocol-https-perl recommends no packages.

Versions of packages liblwp-protocol-https-perl suggests:
pn  libcrypt-ssleay-perl  <none>

-- no debconf information

More information about the pkg-perl-maintainers mailing list