Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work
09. 07. 2023. u 20:43, gregor herrmann piše:
On Sat, 02 Jan 2021 10:24:52 +0100, Slaven Rezic wrote:
The problem still exists in debian/testing (libwww-perl 6.50 +
liblwp-protocol-https-perl 6.09-1 installed here):
perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(verify_hostname=>0); $res =
$ua->get("https://quartier-heidestrasse.contempo-webcam.de/;); warn $res->as_string'
500 Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate
verify failed)
Content-Type: text/plain
Client-Date: Sat, 02 Jan 2021 09:23:22 GMT
Client-Warning: Internal response
Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate
verify failed)
SSL connect attempt failed error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 50.
I just tried your example and I don't get any errors.
This is in today's unstable with libwww-perl/6.71-2 and
liblwp-protocol-https-perl 6.10-1.
Could you please try as well?
(Please note that I'm about to upload
liblwp-protocol-https-perl/6.11-1 to unstable).
Confirmed. The former examples cannot be used anymore to prove the
problem, as the used websites fixed their certificates in the meantime.
But you can use something like "https://bla.bla.bing.com; which now
works if verify_hostname=>0 is set. Tried on debian:stretch and
debian:bookworm.
Regards, Slaven
Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work
On Sat, 02 Jan 2021 10:24:52 +0100, Slaven Rezic wrote:
> The problem still exists in debian/testing (libwww-perl 6.50 +
> liblwp-protocol-https-perl 6.09-1 installed here):
>
> perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new;
> $ua->ssl_opts(verify_hostname=>0); $res =
> $ua->get("https://quartier-heidestrasse.contempo-webcam.de/;); warn
> $res->as_string'
> 500 Can't connect to quartier-heidestrasse.contempo-webcam.de:443
> (certificate verify failed)
> Content-Type: text/plain
> Client-Date: Sat, 02 Jan 2021 09:23:22 GMT
> Client-Warning: Internal response
>
> Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate
> verify failed)
>
> SSL connect attempt failed error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed at
> /usr/share/perl5/LWP/Protocol/http.pm line 50.
I just tried your example and I don't get any errors.
This is in today's unstable with libwww-perl/6.71-2 and
liblwp-protocol-https-perl 6.10-1.
Could you please try as well?
(Please note that I'm about to upload
liblwp-protocol-https-perl/6.11-1 to unstable).
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
signature.asc
Description: Digital Signature
Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work
On Mon, 03 Sep 2018 06:03:51 + Slaven Rezic wrote:
> Package: liblwp-protocol-https-perl
> Version: 6.06-2
> Severity: normal
>
> Dear Maintainer,
>
> to disable hostname verification in https requests one would set
ssl_opts'
> verify_hostname to a false value. However, this does not work:
>
> $ perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new;
$ua->ssl_opts(verify_hostname=>0); $res =
$ua->get("https://www.dwd.de;); warn $res->as_string'
> 500 Can't connect to www.dwd.de:443 (certificate verify failed)
> Content-Type: text/plain
> Client-Date: Mon, 03 Sep 2018 05:58:34 GMT
> Client-Warning: Internal response
>
> Can't connect to www.dwd.de:443 (certificate verify failed)
>
> SSL connect attempt failed error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 47.
>
> With a self-compiled perl and modules installed from CPAN this works
as expected
> (in this case there's no artificial 500 response, but a 403 Forbidden
response).
>
> I found out that it's possible to workaround the issue with
> Debian's perl by setting SSL_verify_mode:
>
> $ perl -MIO::Socket::SSL=SSL_VERIFY_NONE -MLWP::UserAgent -e
'$ua=LWP::UserAgent->new; $ua->ssl_opts(SSL_verify_mode =>
SSL_VERIFY_NONE, verify_hostname => 0); $res =
$ua->get("https://www.dwd.de;); warn $res->as_string'
>
> The issue is still present on Ubuntu 18.04 which has a newer
> version of liblwp-protocol-https-perl. I also don't know if the
> problem lies in LWP, LWP::Protocol::https, IO::Socket::SSL,
> Net::SSLeay, or any other module.
>
> -- System Information:
> Debian Release: 9.5
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
> Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C
(charmap=ANSI_X3.4-1968)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages liblwp-protocol-https-perl depends on:
> ii ca-certificates 20161130+nmu1+deb9u1
> ii libio-socket-ssl-perl 2.044-1
> ii libnet-http-perl 6.12-1
> ii libwww-perl 6.15-1
> ii perl 5.24.1-3+deb9u4
>
> liblwp-protocol-https-perl recommends no packages.
>
> Versions of packages liblwp-protocol-https-perl suggests:
> pn libcrypt-ssleay-perl
>
> -- no debconf information
>
>
The problem still exists in debian/testing (libwww-perl 6.50 +
liblwp-protocol-https-perl 6.09-1 installed here):
perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new; $ua->ssl_opts(verify_hostname=>0); $res =
$ua->get("https://quartier-heidestrasse.contempo-webcam.de/;); warn $res->as_string'
500 Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate
verify failed)
Content-Type: text/plain
Client-Date: Sat, 02 Jan 2021 09:23:22 GMT
Client-Warning: Internal response
Can't connect to quartier-heidestrasse.contempo-webcam.de:443 (certificate
verify failed)
SSL connect attempt failed error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 50.
Bug#907853: liblwp-protocol-https-perl: turning off hostname verification does not work
Package: liblwp-protocol-https-perl
Version: 6.06-2
Severity: normal
Dear Maintainer,
to disable hostname verification in https requests one would set ssl_opts'
verify_hostname to a false value. However, this does not work:
$ perl -MLWP::UserAgent -e '$ua=LWP::UserAgent->new;
$ua->ssl_opts(verify_hostname=>0); $res = $ua->get("https://www.dwd.de;); warn
$res->as_string'
500 Can't connect to www.dwd.de:443 (certificate verify failed)
Content-Type: text/plain
Client-Date: Mon, 03 Sep 2018 05:58:34 GMT
Client-Warning: Internal response
Can't connect to www.dwd.de:443 (certificate verify failed)
SSL connect attempt failed error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 47.
With a self-compiled perl and modules installed from CPAN this works as expected
(in this case there's no artificial 500 response, but a 403 Forbidden response).
I found out that it's possible to workaround the issue with
Debian's perl by setting SSL_verify_mode:
$ perl -MIO::Socket::SSL=SSL_VERIFY_NONE -MLWP::UserAgent -e
'$ua=LWP::UserAgent->new; $ua->ssl_opts(SSL_verify_mode => SSL_VERIFY_NONE,
verify_hostname => 0); $res = $ua->get("https://www.dwd.de;); warn
$res->as_string'
The issue is still present on Ubuntu 18.04 which has a newer
version of liblwp-protocol-https-perl. I also don't know if the
problem lies in LWP, LWP::Protocol::https, IO::Socket::SSL,
Net::SSLeay, or any other module.
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=C
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages liblwp-protocol-https-perl depends on:
ii ca-certificates20161130+nmu1+deb9u1
ii libio-socket-ssl-perl 2.044-1
ii libnet-http-perl 6.12-1
ii libwww-perl6.15-1
ii perl 5.24.1-3+deb9u4
liblwp-protocol-https-perl recommends no packages.
Versions of packages liblwp-protocol-https-perl suggests:
pn libcrypt-ssleay-perl
-- no debconf information
