Skip Menu |

This queue is for tickets about the libwww-perl CPAN distribution.

Report information
The Basics
Id: 67947
Status: resolved
Priority: 0/
Queue: libwww-perl

Owner: Nobody in particular
Requestors: cjm [...]

Bug Information
Severity: Important
Broken in: 6.02
Fixed in: 6.03

Subject: verify_hostname defaults to 0 if ssl_opts provided
Download (untitled) / with headers
text/plain 658b
The LWP::UserAgent docs describe how the verify_hostname field of ssl_opts is initialized. What they don't mention is that if you provide a ssl_opts hash to the constructor, then verify_hostname defaults to 0, not 1. In other words, if you say: my $ua = LWP::UserAgent->new(ssl_opts => {SSL_ca_file => 'myCA.crt'}); You have just quietly disabled hostname verification. I found this rather surprising, and it seems like a dangerous feature. If I hadn't run a test with the (intentionally) wrong CA cert, I might not have noticed that hostname checks were disabled. This is related to RT#66663. My suggested patch there would have solved this, also.
This is fixed in 6.03, so you can mark it resolved.

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

Please report any issues with to