https://bugzilla.redhat.com/show_bug.cgi?id=1101265 Bug ID: 1101265 Summary: perl-libwww-perl: incorrect handling of SSL certificate verification [fedora-all] Product: Fedora Version: 20 Component: perl-LWP-Protocol-https Keywords: FutureFeature Severity: high Priority: high Assignee: ppisar@xxxxxxxxxx Reporter: ppisar@xxxxxxxxxx QA Contact: extras-qa@xxxxxxxxxxxxxxxxx CC: jpazdziora@xxxxxxxxxx, jplesnik@xxxxxxxxxx, mmaslano@xxxxxxxxxx, mzazrivec@xxxxxxxxxx, perl-devel@xxxxxxxxxxxxxxxxxxxxxxx, ppisar@xxxxxxxxxx, psabata@xxxxxxxxxx +++ This bug was initially created as a clone of Bug #1094442 +++ [...] --- Additional comment from Jan Pazdziora on 2014-05-26 10:55:43 GMT --- (In reply to Petr Pisar from comment #9) > Thank you for the report. However there are two mistakes: > > (1) The IO::Socket::SSL::new option is "SSL_verifycn_scheme", not > "SSL_verifycn_schema". Thus you could not find it in the documentation. Ahh, sorry about that . > (2) The 6.04-3 behavior was flawed. As you can read in the upstream bug > report, the "SSL_verify_mode" option is about checking hostname. It's not > intended to control certificate validation. The same applies to > "PERL_LWP_SSL_VERIFY_HOSTNAME" environment variable. 6.04-4 has restored the > behavior which presented before 6.04. So what is the way for making HTTP requests to websites with self-signed certificates from perl, if the user does not care about the CA chain validation? In other way, what is the way for making LWP behave the same way it used to behave with pre-6 version? --- Additional comment from Petr Pisar on 2014-05-26 11:20:51 GMT --- There is no LWP environment variable or command line option to control that currently. It's possible to pass ssl_opts => {SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE} to LWP::UserAgent::new if you write your own LWP application. This is also discussed in the upstream report. The reason why the PERL_LWP_SSL_VERIFY_HOSTNAME seemed to work before is the IO::Socket::SSL < 1.950 defaulted to SSL_VERIFY_NONE. This has not been true since Fedora 20. Unfortunately Fedora 20 delivered the flawed LWP::Protocol::https, so it was not visible. I agree with you that there should be way how to disable the certificate validation externally. -- You are receiving this mail because: You are on the CC list for the bug. Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=vNjL2yMVw5&a=cc_unsubscribe -- Fedora Extras Perl SIG http://www.fedoraproject.org/wiki/Extras/SIGs/Perl perl-devel mailing list perl-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/perl-devel
