https://bugzilla.redhat.com/show_bug.cgi?id=1101265
Bug ID: 1101265
Summary: perl-libwww-perl: incorrect handling of SSL
certificate verification [fedora-all]
Product: Fedora
Version: 20
Component: perl-LWP-Protocol-https
Keywords: FutureFeature
Severity: high
Priority: high
Assignee: ppisar(a)redhat.com
Reporter: ppisar(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: jpazdziora(a)redhat.com, jplesnik(a)redhat.com,
mmaslano(a)redhat.com, mzazrivec(a)redhat.com,
perl-devel(a)lists.fedoraproject.org, ppisar(a)redhat.com,
psabata(a)redhat.com
+++ This bug was initially created as a clone of Bug #1094442 +++
[...]
--- Additional comment from Jan Pazdziora on 2014-05-26 10:55:43 GMT ---
(In reply to Petr Pisar from comment #9)
Thank you for the report. However there are two mistakes:
(1) The IO::Socket::SSL::new option is "SSL_verifycn_scheme", not
"SSL_verifycn_schema". Thus you could not find it in the documentation.
Ahh, sorry about that
.
(2) The 6.04-3 behavior was flawed. As you can read in the upstream
bug
report, the "SSL_verify_mode" option is about checking hostname. It's not
intended to control certificate validation. The same applies to
"PERL_LWP_SSL_VERIFY_HOSTNAME" environment variable. 6.04-4 has restored the
behavior which presented before 6.04.
So what is the way for making HTTP requests to websites with self-signed
certificates from perl, if the user does not care about the CA chain
validation?
In other way, what is the way for making LWP behave the same way it used to
behave with pre-6 version?
--- Additional comment from Petr Pisar on 2014-05-26 11:20:51 GMT ---
There is no LWP environment variable or command line option to control that
currently.
It's possible to pass ssl_opts => {SSL_verify_mode =>
IO::Socket::SSL::SSL_VERIFY_NONE} to LWP::UserAgent::new if you write your own
LWP application.
This is also discussed in the upstream report.
The reason why the PERL_LWP_SSL_VERIFY_HOSTNAME seemed to work before is the
IO::Socket::SSL < 1.950 defaulted to SSL_VERIFY_NONE. This has not been true
since Fedora 20. Unfortunately Fedora 20 delivered the flawed
LWP::Protocol::https, so it was not visible.
I agree with you that there should be way how to disable the certificate
validation externally.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=vNjL2yMVw5&a=cc_unsubscribe