From justincase@yopmail.com on 2011-03-12 03:37:41:
Currently a user will get this if they have Crypt::SSLeay installed, but
not IO::Socket::SSL:
$ perl -MLWP::UserAgent -MMozilla::CA -E
'LWP::UserAgent->new->get("https://encrypted.google.com/")->dump'500
Can't connect to encrypted.google.com:443 (Crypt-SSLeay can't verify
hostnames)
...
Would it be possible for LWP to set the HTTPS_CA_FILE environment
variable for Crypt::SSLeay? Then as long as Mozilla::CA is installed,
either SSL backend module would work without the user having to tweak
settings.
$ perl -MLWP::UserAgent -MMozilla::CA -E
'$ENV{HTTPS_CA_FILE}=Mozilla::CA::SSL_ca_file();
LWP::UserAgent->new->get("https://encrypted.google.com/")->dump'
HTTP/1.1 200 OK
...
From gaas@cpan.org on 2011-03-12 15:23:18:
Net::HTTPS will already set up $ENV{HTTPS_CA_FILE} based on Mozilla::CA's file. The issue is
that Crypt::SSLeay don't implement what corresponds to the SSL_verifycn_scheme option for
IO::Socket::SSL and this option is implied by the 'verify_hostname' option.
If you disable 'verify_hostname' and set SSL_verify_mode => 1 then Net::SSL will verify that the
certificate is legal, but only by setting various Client-* headers in the response.
From justincase@yopmail.com on 2011-03-12 18:16:00:
On Sat Mar 12 10:23:18 2011, GAAS wrote:
> Net::HTTPS will already set up $ENV{HTTPS_CA_FILE} based on
> Mozilla::CA's file. The issue is
> that Crypt::SSLeay don't implement what corresponds to the
> SSL_verifycn_scheme option for
> IO::Socket::SSL and this option is implied by the 'verify_hostname'
> option.
>
> If you disable 'verify_hostname' and set SSL_verify_mode => 1 then
> Net::SSL will verify that the
> certificate is legal, but only by setting various Client-* headers in
> the response.
As many, many modules have libwww-perl as a dependency, I was hoping
this could be handled at the highest common level, instead of having
each dependent module author trying to solve this themselves. Maybe make
a note that this is on the todo wishlist, and some japh might submit a
patch :) Until that happens, how about adding a method to test if the
user needs to disable verify_hostname?
Migrated from rt.cpan.org#66561 (status was 'open')
Requestors:
From justincase@yopmail.com on 2011-03-12 03:37:41:
From gaas@cpan.org on 2011-03-12 15:23:18:
From justincase@yopmail.com on 2011-03-12 18:16:00:
From ether@cpan.org on 2017-01-25 21:41:23: