[Bug 1094442] perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all]

bugzilla at redhat.com bugzilla at redhat.com
Fri May 23 09:39:38 UTC 2014 

https://bugzilla.redhat.com/show_bug.cgi?id=1094442



--- Comment #6 from Jan Pazdziora <jpazdziora at redhat.com> ---
The patch used between -3 and -4 is

-    $ssl_opts{SSL_verify_mode} = 0;
+    if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) {
+        $ssl_opts{SSL_verifycn_scheme} = '';
+    } else {
+        $ssl_opts{SSL_verifycn_scheme} = 'none';
+    }

Not sure what the intention was but with the 6.04-4 and website with
self-signed certificate like,

PERL_LWP_SSL_VERIFY_HOSTNAME=0 HEAD -Se https://www.pcwebshop.co.uk/ ; echo $?

is now broken:

HEAD https://www.pcwebshop.co.uk/
500 Can't connect to www.pcwebshop.co.uk:443
Content-Type: text/plain
Client-Date: Fri, 23 May 2014 09:36:01 GMT
Client-Warning: Internal response

1

This used to work with 6.04-3:

# PERL_LWP_SSL_VERIFY_HOSTNAME=0 HEAD -Se https://www.pcwebshop.co.uk/ ; echo
$?
HEAD https://www.pcwebshop.co.uk/
200 OK
Connection: close
Date: Fri, 23 May 2014 09:36:12 GMT
Server: Apache
Content-Type: text/html; charset=UTF-8
Client-Date: Fri, 23 May 2014 09:36:12 GMT
Client-Peer: 217.160.239.225:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels
Panel/CN=Parallels Panel/emailAddress=info at parallels.com
Client-SSL-Cert-Subject: /C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels
Panel/CN=Parallels Panel/emailAddress=info at parallels.com
Client-SSL-Cipher: DHE-RSA-AES256-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
Client-SSL-Warning: Peer certificate not verified
Set-Cookie: wptouch-pro-cache-state=desktop; expires=Fri, 23-May-2014 10:36:12
GMT; path=/
X-Pingback: https://www.pcwebshop.co.uk/xmlrpc.php
X-Powered-By: PleskLin

0

It's because it gets translated to call

# perl -le 'use LWP::Protocol::https; my $sock =
LWP::Protocol::https::Socket->new(Timeout => 180, PeerAddr =>
"www.pcwebshop.co.uk", SSL_verify_mode => 0, PeerPort => "443"); print $sock;
print $IO::Socket::SSL::SSL_ERROR;'
LWP::Protocol::https::Socket=GLOB(0x10b1a98)
SSL wants a read first
#

in 6.04-3 (note the SSL_verify_mode => 0) but to

# perl -le 'use LWP::Protocol::https; my $sock =
LWP::Protocol::https::Socket->new(Timeout => 180, PeerAddr =>
"www.pcwebshop.co.uk", SSL_verifycn_schema => "none", PeerPort => "443"); print
$sock; print $IO::Socket::SSL::SSL_ERROR;'

IO::Socket::IP configuration failed SSL connect attempt failed with unknown
error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate
verify failed

in 6.04-4 -- note there is no SSL_verify_mode => 0 there in the parameters,
just SSL_verifycn_schema => "none".

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=dboXiUt0fO&a=cc_unsubscribe

More information about the perl-devel mailing list