search

libwww-perl / LWP-Protocol-https

Provide https support for LWP::UserAgent
https://metacpan.org/pod/LWP::Protocol::https
Other
16 stars 35 forks source link

Crypt::SSLeay should work transparently with Mozilla::CA [rt.cpan.org #66561] #42

Closed oalders closed 1 year ago

oalders commented 7 years ago

Migrated from rt.cpan.org#66561 (status was 'open')

Requestors:

From justincase@yopmail.com on 2011-03-12 03:37:41:

Currently a user will get this if they have Crypt::SSLeay installed, but
not IO::Socket::SSL:

$ perl -MLWP::UserAgent -MMozilla::CA -E
'LWP::UserAgent->new->get("https://encrypted.google.com/")->dump'500
Can't connect to encrypted.google.com:443 (Crypt-SSLeay can't verify
hostnames)
...

Would it be possible for LWP to set the HTTPS_CA_FILE environment
variable for Crypt::SSLeay? Then as long as Mozilla::CA is installed,
either SSL backend module would work without the user having to tweak
settings.

$ perl -MLWP::UserAgent -MMozilla::CA -E
'$ENV{HTTPS_CA_FILE}=Mozilla::CA::SSL_ca_file();
LWP::UserAgent->new->get("https://encrypted.google.com/")->dump'
HTTP/1.1 200 OK
...

From gaas@cpan.org on 2011-03-12 15:23:18:

Net::HTTPS will already set up $ENV{HTTPS_CA_FILE} based on Mozilla::CA's file.  The issue is 
that Crypt::SSLeay don't implement what corresponds to the SSL_verifycn_scheme option for 
IO::Socket::SSL and this option is implied by the 'verify_hostname' option.

If you disable 'verify_hostname' and set SSL_verify_mode => 1 then Net::SSL will verify that the 
certificate is legal, but only by setting various Client-* headers in the response.

From justincase@yopmail.com on 2011-03-12 18:16:00:

On Sat Mar 12 10:23:18 2011, GAAS wrote:
> Net::HTTPS will already set up $ENV{HTTPS_CA_FILE} based on
> Mozilla::CA's file.  The issue is
> that Crypt::SSLeay don't implement what corresponds to the
> SSL_verifycn_scheme option for
> IO::Socket::SSL and this option is implied by the 'verify_hostname'
> option.
> 
> If you disable 'verify_hostname' and set SSL_verify_mode => 1 then
> Net::SSL will verify that the
> certificate is legal, but only by setting various Client-* headers in
> the response.

As many, many modules have libwww-perl as a dependency, I was hoping
this could be handled at the highest common level, instead of having
each dependent module author trying to solve this themselves. Maybe make
a note that this is on the todo wishlist, and some japh might submit a
patch :) Until that happens, how about adding a method to test if the
user needs to disable verify_hostname?

From ether@cpan.org on 2017-01-25 21:41:23:

migrated queues: libwww-perl -> LWP-Protocol-https
genio commented 1 year ago

We are now using IO::Socket::SSL directly. This should no longer be an issue. Please re-open if I'm missing something.