Skip Menu |
 

This queue is for tickets about the LWP-Protocol-https CPAN distribution.

Report information
The Basics
Id: 81948
Status: resolved
Priority: 0/
Queue: LWP-Protocol-https

People
Owner: Nobody in particular
Requestors: parlay [...] yopmail.com
Cc: ether [...] cpan.org
tsibley [...] cpan.org
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

Attachments


Subject: IO::Socket::SSL now issues warning when used with LWP's verify_hostname=>0
Download (untitled) / with headers
text/plain 578b
when setting ssl_opts => {verify_hostname => 0} in LWP, this results in the following warning from new versions of IO::Socket::SSL: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
RT-Send-CC: srezic [...] iconmobile.com
Download (untitled) / with headers
text/plain 721b
Same warning when using the environment variable: $ env PERL_LWP_SSL_VERIFY_HOSTNAME=0 /opt/perl/bin/lwp-request https://example.org ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at /opt/perl-5.14.2/lib/site_perl/5.14.2/LWP/Protocol/http.pm line 31.
Download (untitled) / with headers
text/plain 404b
It looks to me like SSL_verify_mode isn't being propagated correctly when verify_hostname is set to 0. I've attached a patch that I think will fix this. As a workaround, you can set both verify_hostname and SSL_verify_mode in ssl_opts to prevent the warning from appearing: my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 0, } ); I hope this helps.
Subject: LWP-Protocol-https-6.03-warning.patch
diff -r 0b2304015803 lib/LWP/Protocol/https.pm --- a/lib/LWP/Protocol/https.pm Wed Jan 30 14:06:01 2013 -0600 +++ b/lib/LWP/Protocol/https.pm Wed Jan 30 14:09:53 2013 -0600 @@ -19,6 +19,9 @@ $ssl_opts{SSL_verify_mode} ||= 1; $ssl_opts{SSL_verifycn_scheme} = 'www'; } + else { + $ssl_opts{SSL_verify_mode} = 0; + } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { eval {
Ping. Could we please get this patch applied and a new release made to CPAN?
Download (untitled) / with headers
text/plain 107b
I have applied the patch and send a pull request: https://github.com/libwww-perl/lwp-protocol-https/pull/4
Thanks. LWP-Protocol-https-6.04 has now been uploaded to CPAN with your fix.
Download (untitled) / with headers
text/plain 786b
On Mon Apr 29 17:33:02 2013, GAAS wrote: Show quoted text
> Thanks. LWP-Protocol-https-6.04 has now been uploaded to CPAN with your fix.
The fix is wrong. Disable hostname verification should not disable certificate verification, but only set SSL_verifycn_mode to 'none'. The real issue would be the failing propagation of SSL_verify_mode at all, e.g. the warning came if SSL_verify_mode was undef and setting it to 1 would have fixed the problem also. But it is not clear to me how this could fail - but because there is no software version associated with this bug it is hard to reproduce. Anyway, the Debian guys found this problem in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 and a fix is getting prepared, so this is only a note, that the previous patch introduced another problem.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.