noxxi
commented
6 years ago Certificate loading even with verify off was explicitly added in version 1.994 about 3 years ago so that OCSP checking (which includes verification of the signature for the OCSP response) can be done even if the default certificate validation is off (i.e. the client will verify the certificate some other way). This should not be a problem in most cases since certificate validation should be on anyway. If this is a problem in your particular use case I recommend to create a SSL context and reuse it instead of implicitly creating a new one every time you create a new SSL connection.
This is a performance decrease noticed after upgrading IO::Socket::SSL to last version.
ssl verify was loaded for client and server even when verify is none (server has to pay to load ssl verify even when we almost never verify client certificates)
Signed-off-by: Nicolas R atoomic@cpan.org