search

csirtgadgets / LWPx-ParanoidAgent

LWPx-ParanoidAgent
http://search.cpan.org/dist/LWPx-ParanoidAgent
3 stars 9 forks source link

Net::SSL has broken https :( #9

Closed markwellis closed 10 years ago

markwellis commented 10 years ago

test case

use strict;
use warnings;
use LWPx::ParanoidAgent;

my $url = "https://www.google.co.uk/images/srpr/logo11w.png";

my $ua = LWPx::ParanoidAgent->new;
my $res = $ua->head( $url );

use Data::Dumper;
warn Dumper $res;

with LWPx-ParanoidAgent-1.09 i get 

$VAR1 = bless( {
                 '_protocol' => 'HTTP/1.1',
                 '_content' => '',
                 '_rc' => '200',
                 '_headers' => bless( {
                                        'content-length' => '14022',
                                        'client-ssl-warning' => 'Peer certificate not verified',
                                        'expires' => 'Wed, 30 Apr 2014 21:49:23 GMT',
                                        'server' => 'sffe',
                                        'client-peer' => '173.194.34.191:443',
                                        'client-response-num' => 1,
                                        'x-content-type-options' => 'nosniff',
                                        '::std_case' => {
                                                          'client-ssl-warning' => 'Client-SSL-Warning',
                                                          'alternate-protocol' => 'Alternate-Protocol',
                                                          'x-xss-protection' => 'X-XSS-Protection',
                                                          'client-peer' => 'Client-Peer',
                                                          'client-response-num' => 'Client-Response-Num',
                                                          'x-content-type-options' => 'X-Content-Type-Options',
                                                          'client-ssl-cert-issuer' => 'Client-SSL-Cert-Issuer',
                                                          'x-died' => 'X-Died',
                                                          'client-ssl-cert-subject' => 'Client-SSL-Cert-Subject',
                                                          'client-ssl-cipher' => 'Client-SSL-Cipher',
                                                          'client-date' => 'Client-Date'
                                                        },
                                        'connection' => 'close',
                                        'client-date' => 'Wed, 30 Apr 2014 21:48:28 GMT',
                                        'client-ssl-cert-subject' => '/C=US/ST=California/L=Mountain View/O=Google Inc/CN=google.com',
                                        'last-modified' => 'Wed, 09 Oct 2013 01:35:39 GMT',
                                        'alternate-protocol' => '443:quic',
                                        'content-type' => 'image/png',
                                        'x-xss-protection' => '1; mode=block',
                                        'client-ssl-cert-issuer' => '/C=US/O=Google Inc/CN=Google Internet Authority G2',
                                        'client-ssl-cipher' => 'ECDHE-RSA-AES128-SHA',
                                        'date' => 'Wed, 30 Apr 2014 21:49:23 GMT',
                                        'cache-control' => 'private, max-age=31536000'
                                      }, 'HTTP::Headers' ),
                 '_request' => bless( {
                                        '_uri' => bless( do{\(my $o = 'https://www.google.co.uk/images/srpr/logo11w.png')}, 'URI::https' ),
                                        '_uri_canonical' => $VAR1->{'_request'}{'_uri'},
                                        '_method' => 'HEAD',
                                        '_time_begin' => 1398894507,
                                        '_content' => '',
                                        '_headers' => bless( {
                                                               'user-agent' => 'libwww-perl/6.06'
                                                             }, 'HTTP::Headers' )
                                      }, 'HTTP::Request' ),
                 '_msg' => 'OK'
               }, 'HTTP::Response' );

and with LWPx-ParanoidAgent-1.10 i get 

$VAR1 = bless( {
                 '_content' => '500 Can\'t connect to www.google.co.uk:443 (Net::SSL from Crypt-SSLeay can\'t verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0)
',
                 '_msg' => 'Can\'t connect to www.google.co.uk:443 (Net::SSL from Crypt-SSLeay can\'t verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0)',
                 '_request' => bless( {
                                        '_uri' => bless( do{\(my $o = 'https://www.google.co.uk/images/srpr/logo11w.png')}, 'URI::https' ),
                                        '_content' => '',
                                        '_time_begin' => 1398894335,
                                        '_headers' => bless( {
                                                               'user-agent' => 'libwww-perl/6.06'
                                                             }, 'HTTP::Headers' ),
                                        '_method' => 'HEAD'
                                      }, 'HTTP::Request' ),
                 '_rc' => 500,
                 '_headers' => bless( {
                                        'client-date' => 'Wed, 30 Apr 2014 21:45:36 GMT',
                                        '::std_case' => {
                                                          'client-warning' => 'Client-Warning',
                                                          'client-date' => 'Client-Date'
                                                        },
                                        'content-type' => 'text/plain',
                                        'client-warning' => 'Internal response'
                                      }, 'HTTP::Headers' )
               }, 'HTTP::Response' );

this can be worked around with a 'local $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0' as the error suggests, but it feels a little hacky

kgoess-bepress commented 10 years ago

This is caused by the fix for issue 4, see my last comment there. Crypt::SSLeay doesn't support hostname verification, and that what you get if you use Net::SSL as the socket class.

You can also work around this by passing the correct arg to new()

    LWPx::ParanoidAgent->new(
        ssl_opts => {
            verify_hostname => 0,
        },
    )
markwellis commented 10 years ago

cool, that's a better plan. cheers

wesyoung commented 10 years ago

if someone can pass a pull-req, it helps expedite this sorta thing ;)