[Bug 1101265] New: perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all]

bugzilla at redhat.com bugzilla at redhat.com
Mon May 26 13:35:08 UTC 2014 

https://bugzilla.redhat.com/show_bug.cgi?id=1101265

            Bug ID: 1101265
           Summary: perl-libwww-perl: incorrect handling of SSL
                    certificate verification [fedora-all]
           Product: Fedora
           Version: 20
         Component: perl-LWP-Protocol-https
          Keywords: FutureFeature
          Severity: high
          Priority: high
          Assignee: ppisar at redhat.com
          Reporter: ppisar at redhat.com
        QA Contact: extras-qa at fedoraproject.org
                CC: jpazdziora at redhat.com, jplesnik at redhat.com,
                    mmaslano at redhat.com, mzazrivec at redhat.com,
                    perl-devel at lists.fedoraproject.org, ppisar at redhat.com,
                    psabata at redhat.com



+++ This bug was initially created as a clone of Bug #1094442 +++
[...]
--- Additional comment from Jan Pazdziora on 2014-05-26 10:55:43 GMT ---

(In reply to Petr Pisar from comment #9)
> Thank you for the report. However there are two mistakes:
> 
> (1) The IO::Socket::SSL::new option is "SSL_verifycn_scheme", not
> "SSL_verifycn_schema". Thus you could not find it in the documentation.

Ahh, sorry about that
.
> (2) The 6.04-3 behavior was flawed. As you can read in the upstream bug
> report, the "SSL_verify_mode" option is about checking hostname. It's not
> intended to control certificate validation. The same applies to
> "PERL_LWP_SSL_VERIFY_HOSTNAME" environment variable. 6.04-4 has restored the
> behavior which presented before 6.04.

So what is the way for making HTTP requests to websites with self-signed
certificates from perl, if the user does not care about the CA chain
validation?

In other way, what is the way for making LWP behave the same way it used to
behave with pre-6 version?

--- Additional comment from Petr Pisar on 2014-05-26 11:20:51 GMT ---

There is no LWP environment variable or command line option to control that
currently.

It's possible to pass ssl_opts => {SSL_verify_mode =>
IO::Socket::SSL::SSL_VERIFY_NONE} to LWP::UserAgent::new if you write your own
LWP application.

This is also discussed in the upstream report.

The reason why the PERL_LWP_SSL_VERIFY_HOSTNAME seemed to work before is the
IO::Socket::SSL < 1.950 defaulted to SSL_VERIFY_NONE. This has not been true
since Fedora 20. Unfortunately Fedora 20 delivered the flawed
LWP::Protocol::https, so it was not visible.

I agree with you that there should be way how to disable the certificate
validation externally.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vNjL2yMVw5&a=cc_unsubscribe

More information about the perl-devel mailing list