[Bug 1101265] New: perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1101265 Bug ID: 1101265 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all] Product: Fedora Version: 20 Component: perl-LWP-Protocol-https Keywords: FutureFeature Severity: high Priority: high Assignee: ppisar(a)redhat.com Reporter: ppisar(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: jpazdziora(a)redhat.com, jplesnik(a)redhat.com, mmaslano(a)redhat.com, mzazrivec(a)redhat.com, perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com, psabata(a)redhat.com +++ This bug was initially created as a clone of Bug #1094442 +++ [...] --- Additional comment from Jan Pazdziora on 2014-05-26 10:55:43 GMT --- (In reply to Petr Pisar from comment #9) Ahh, sorry about that . So what is the way for making HTTP requests to websites with self-signed certificates from perl, if the user does not care about the CA chain validation? In other way, what is the way for making LWP behave the same way it used to behave with pre-6 version? --- Additional comment from Petr Pisar on 2014-05-26 11:20:51 GMT --- There is no LWP environment variable or command line option to control that currently. It's possible to pass ssl_opts => {SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE} to LWP::UserAgent::new if you write your own LWP application. This is also discussed in the upstream report. The reason why the PERL_LWP_SSL_VERIFY_HOSTNAME seemed to work before is the IO::Socket::SSL < 1.950 defaulted to SSL_VERIFY_NONE. This has not been true since Fedora 20. Unfortunately Fedora 20 delivered the flawed LWP::Protocol::https, so it was not visible. I agree with you that there should be way how to disable the certificate validation externally. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vNjL2yMVw5&a=cc_unsubscribe