Skip Menu |
 

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 66663
Status: resolved
Priority: 0/
Queue: libwww-perl

People
Owner: Nobody in particular
Requestors: cjm [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Normal
Broken in: 6.00
Fixed in: (no value)

Attachments
0001-Ignores-env-variables-when-ssl_opts-provided-RT-6666.patch
ssl_opts.patch.txt



Subject: Ignores env variables when ssl_opts provided
Download (untitled) / with headers
text/plain 959b
The LWP::UserAgent docs describe various environment variables that provide default values for the keys in ssl_opts. What it doesn't say is that if a ssl_opts hash is passed to the constructor *none* of those environment variables are checked, even if they relate to a key that isn't provided in that hash. For example, if you say: my $ua = LWP::UserAgent->new(); then the $ua will verify hostnames using $ENV{PERL_LWP_SSL_CA_FILE} or $ENV{PERL_LWP_SSL_CA_PATH} (if those are set), or fall back to Mozilla::CA if they aren't. But if you say: my $ua = LWP::UserAgent->new(ssl_opts => {verify_hostname => 1}); then the $ua will use only Mozilla::CA (ignoring $ENV{PERL_LWP_SSL_CA_FILE} and $ENV{PERL_LWP_SSL_CA_PATH}). If this is intended behavior, it's not documented very well. I would expect that the default for SSL_ca_file would be independent of whether verify_hostname was provided. I've attached a patch that implements this behavior.
Subject: ssl_opts.patch.txt
Download ssl_opts.patch.txt
text/plain 878b
--- lib/LWP/UserAgent.pm 2011-03-09 02:20:26.000000000 -0600 +++ lib/LWP/UserAgent.pm 2011-03-16 12:47:28.644360100 -0500 @@ -41,8 +41,8 @@ my $timeout = delete $cnf{timeout}; $timeout = 3*60 unless defined $timeout; my $local_address = delete $cnf{local_address}; - my $ssl_opts = delete $cnf{ssl_opts}; - unless ($ssl_opts) { + my $ssl_opts = delete $cnf{ssl_opts} || {}; + unless (exists $ssl_opts->{verify_hostname}) { # The processing of HTTPS_CA_* below is for compatiblity with Crypt::SSLeay $ssl_opts = {}; if (exists $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}) { @@ -56,6 +56,8 @@ else { $ssl_opts->{verify_hostname} = 1; } + } + unless (exists $ssl_opts->{SSL_ca_file} or exists $ssl_opts->{SSL_ca_path}) { if (my $ca_file = $ENV{PERL_LWP_SSL_CA_FILE} || $ENV{HTTPS_CA_FILE}) { $ssl_opts->{SSL_ca_file} = $ca_file; }
I've applied a slightly modified version of your patch. Thanks.
Subject: 0001-Ignores-env-variables-when-ssl_opts-provided-RT-6666.patch
From a0f8029277944d4172a190c128e3fb710503b130 Mon Sep 17 00:00:00 2001 From: Christopher J. Madsen <cjm@cpan.org> Date: Sat, 26 Mar 2011 11:25:27 +0100 Subject: [PATCH] Ignores env variables when ssl_opts provided [RT#66663] Let SSL_ca_file and SSL_ca_path default from the environment when other ssl_opts are passed --- lib/LWP/UserAgent.pm | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/lib/LWP/UserAgent.pm b/lib/LWP/UserAgent.pm index 8c3fce2..8540714 100644 --- a/lib/LWP/UserAgent.pm +++ b/lib/LWP/UserAgent.pm @@ -46,9 +46,13 @@ sub new else { $ssl_opts->{verify_hostname} = 1; } + } + unless (exists $ssl_opts->{SSL_ca_file}) { if (my $ca_file = $ENV{PERL_LWP_SSL_CA_FILE} || $ENV{HTTPS_CA_FILE}) { $ssl_opts->{SSL_ca_file} = $ca_file; } + } + unless (exists $ssl_opts->{SSL_ca_path}) { if (my $ca_path = $ENV{PERL_LWP_SSL_CA_PATH} || $ENV{HTTPS_CA_DIR}) { $ssl_opts->{SSL_ca_path} = $ca_path; } -- 1.6.6.rc1.31.g1a56b


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.