[Just a random LWP/IO::Socket::SSL user here, not a maintainer of any of
the affected packages.]
* Klaus Ethgen <[email protected]>, 2014-05-20, 11:40:
The newest version of libwww-perl does not connect to https servers
with selfsigned certificates anymore; even not with environment
PERL_LWP_SSL_VERIFY_HOSTNAME set to 0.
It might be fallout after fixing #746579. See also upstream discussion:
https://github.com/libwww-perl/lwp-protocol-https/pull/14
(Yet, it's a complete mess.)
In another mail you wrote:
Let me also add that setting the ssl_options never worked for me and
only setting the related environment variable(s) works. So at the
moment even "$ua->ssl_opts(SSL_verifycn_scheme => 'none');" does not
let it work.
SSL_verifycn_scheme affects only checking if CN/subjectAltName match
hostname, not validity of the certificate itself. And if you're using
LWP then it doesn't affect anything, because LWP resets it for you. :|
This should completely disable certificate verification:
$ua->ssl_opts(
SSL_verify_mode => 0,
verify_hostname => 0,
);
To be clear, I want to _have_ the hostname verified but _not have_ the
certificate itself checked.
Hmm, that's an odd choice. Surely if you don't verify the peer
certificate, then anybody capable of MiTM can just forge a certificate
with any CN/subjectAltName they want.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
