search

libwww-perl / LWP-Protocol-https

Provide https support for LWP::UserAgent
https://metacpan.org/pod/LWP::Protocol::https
Other
16 stars 35 forks source link

Old Bug, Revisited: Peer certificate not verified [rt.cpan.org #61340] #41

Closed oalders closed 1 year ago

oalders commented 7 years ago

Migrated from rt.cpan.org#61340 (status was 'open')

Requestors:

Attachments:

From skneizys@figsolutions.com on 2010-09-14 23:50:38:

I am using LWP with https protocol.  The message "Peer certificate not
verified" appears for me even with the patch from 2003 below.  However, with
a little tweak, the intent of the original bug fix can be extended to cover
Net::SSLeay ... works for me anyway.  With Net::SSLeay configured to do peer
verification and a successful verification the message is turned off
analogous to Crypt::SSLeay.

The original code in LWP/Protocol/https.pm is:
if(! eval { $sock->get_peer_verify }) {
  $res->header("Client-SSL-Warning" => "Peer certificate not verified");
}
Revised code:
if ((! eval { $sock->get_peer_verify }) && (! eval
{Net::SSLeay::get_verify_mode($sock)})) {
  $res->header("Client-SSL-Warning" => "Peer certificate not verified");
}

Original fix:
Re: PATCH: Peer certificate not verified for https Crypt::SSLeay
Gisle Aas
Wed, 15 Oct 2003 03:37:04 -0700

Another year old patch eventually applied.
Regards,
Gisle

Joshua Chamas <[EMAIL PROTECTED]> writes:
> Hey,
>
> Here is a patch against libwww-perl-5.64 that turns off the
> "Client-SSL-Warning" => "Peer certificate not verified"
> when Crypt::SSLeay has been configured to do peer certificate
> verification.  By wrapping the call in an eval {}, this patch
> should also be compatible with other SSL implementations that
> do not support this sock->get_peer_verify API.
>
> [EMAIL PROTECTED] libwww-perl-5.64]# diff -u lib/LWP/Protocol/https.pm.old

> lib/LWP/Protocol/https.pm
> --- lib/LWP/Protocol/https.pm.old     Fri Nov 16 18:10:28 2001
> +++ lib/LWP/Protocol/https.pm Mon Mar 18 12:38:37 2002
> @@ -34,7 +34,9 @@
>       $res->header("Client-SSL-Cert-Subject" => $cert->subject_name);
>       $res->header("Client-SSL-Cert-Issuer" => $cert->issuer_name);
>      }
> -    $res->header("Client-SSL-Warning" => "Peer certificate not
verified");
> +    if(! eval { $sock->get_peer_verify }) {
> +     $res->header("Client-SSL-Warning" => "Peer certificate not
verified");
> +    }
>  }
>
> Thanks,
>
> Josh

One thing I notices is there is a LWP/Protocol/https10.pm that is also
installed on my system and it does not have this conditional in it, but
perhaps it should.

Thanks,

Steve...

-- 
Steve Kneizys
Senior Business Process Engineer
Ferrilli Information Group
Voice: (610) 256-1396
web: http://www.figsolutions.com/

For Emergency Service (888)864-3282

From skneizys@figsolutions.com on 2010-09-15 14:55:48:

I spoke too soon ... turns out my additional code does not work!  But the
problem does seem to exist, whether I pre-load IO::Socket::SSL (and I verify
it is being used),  then call IO::Socket::SSL to set the ctx_defaults to
verify the peer,  LWP::UserAgent  ends up giving me the message "Peer
certificate not verified" even when it has been.  I'll just ignore the
warning in my code :-)

Thanks,

Steve...
Original message:

>
> I am using LWP with https protocol.  The message "Peer certificate not
> verified" appears for me even with the patch from 2003 below.  However,
> with
> a little tweak, the intent of the original bug fix can be extended to cover
> Net::SSLeay ... works for me anyway.  With Net::SSLeay configured to do
> peer
> verification and a successful verification the message is turned off
> analogous to Crypt::SSLeay.
>
> The original code in LWP/Protocol/https.pm is:
> if(! eval { $sock->get_peer_verify }) {
>  $res->header("Client-SSL-Warning" => "Peer certificate not verified");
> }
> Revised code:
> if ((! eval { $sock->get_peer_verify }) && (! eval
> {Net::SSLeay::get_verify_mode($sock)})) {
>  $res->header("Client-SSL-Warning" => "Peer certificate not verified");
> }
>
> Original fix:
> Re: PATCH: Peer certificate not verified for https Crypt::SSLeay
> Gisle Aas
> Wed, 15 Oct 2003 03:37:04 -0700
>
> Another year old patch eventually applied.
> Regards,
> Gisle
>
> Joshua Chamas <[EMAIL PROTECTED]> writes:
> > Hey,
> >
> > Here is a patch against libwww-perl-5.64 that turns off the
> > "Client-SSL-Warning" => "Peer certificate not verified"
> > when Crypt::SSLeay has been configured to do peer certificate
> > verification.  By wrapping the call in an eval {}, this patch
> > should also be compatible with other SSL implementations that
> > do not support this sock->get_peer_verify API.
> >
> > [EMAIL PROTECTED] libwww-perl-5.64]# diff -u
> lib/LWP/Protocol/https.pm.old
>
> > lib/LWP/Protocol/https.pm
> > --- lib/LWP/Protocol/https.pm.old     Fri Nov 16 18:10:28 2001
> > +++ lib/LWP/Protocol/https.pm Mon Mar 18 12:38:37 2002
> > @@ -34,7 +34,9 @@
> >       $res->header("Client-SSL-Cert-Subject" => $cert->subject_name);
> >       $res->header("Client-SSL-Cert-Issuer" => $cert->issuer_name);
> >      }
> > -    $res->header("Client-SSL-Warning" => "Peer certificate not
> verified");
> > +    if(! eval { $sock->get_peer_verify }) {
> > +     $res->header("Client-SSL-Warning" => "Peer certificate not
> verified");
> > +    }
> >  }
> >
> > Thanks,
> >
> > Josh
>
> One thing I notices is there is a LWP/Protocol/https10.pm that is also
> installed on my system and it does not have this conditional in it, but
> perhaps it should.
>
> Thanks,
>
> Steve...
>
> --
> Steve Kneizys
> Senior Business Process Engineer
> Ferrilli Information Group
> Voice: (610) 256-1396
> web: http://www.figsolutions.com/
>
> For Emergency Service (888)864-3282
>
>

From silasmonk@cpan.org on 2010-10-02 13:17:36:

This Debian bug report seems relevant.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503440

From dkg@fifthhorseman.net on 2010-12-20 20:39:44:

http://bugs.debian.org/503440 is marked as forwarded upstream to

   https://rt.cpan.org/Public/Bug/Display.html?id=61340

But i don't think these are the same issue at all.

the CPAN bug has nothing to do with using a proxy.

the debian bug is about LWP failing to make proper use of the HTTP
proxy, as noted here:

http://www.annocpan.org/~GAAS/libwww-perl-5.834/lib/LWP/UserAgent.pm#note_751

I think the appropriate CPAN bug to reference is actually:

  https://rt.cpan.org/Public/Bug/Display.html?id=1894

    --dkg

From ether@cpan.org on 2017-01-25 21:41:12:

migrated queues: libwww-perl -> LWP-Protocol-https
genio commented 1 year ago

This should no longer be an issue as we're using IO::Socket::SSL directly and it handles verification.