pkg-perl-maintainers team mailing list archive

Thread
Date

[Bug 1408331] Re: libwww perl in ubuntu always enforces HTTPS server certificate

To: pkg-perl-maintainers@xxxxxxxxxxxxxxxxxxx
From: sullr <1408331@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 Jan 2015 22:33:32 -0000
Reply-to: Bug 1408331 <1408331@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

The option verify_hostname is like the name suggests only responsible
for verifying the host name against the certificate. It does not control
the verification of the certificate chain or any other certificate
validations, even if it can be used like this in some versions of
LWP::Protocol::https. But this is actually a bug, see https://github.com
/libwww-perl/lwp-protocol-https/pull/14 (very long discussion).

The only documentation of the option verify_hostname in LWP::UserAgent
says:

           "verify_hostname" => $bool
            When TRUE LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate
            matching the expected hostname. 

Which confirms that this option cares about verifying the host name
only.

To disable any kind of certificate validation you have to use ssl_opts
to set SSL_verify_mode to 0 (i.e. SSL_VERIFY_NONE).

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libwww-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1408331

Title:
  libwww perl in ubuntu always enforces HTTPS server certificate

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/1408331/+subscriptions

References

[Bug 1408331] [NEW] libwww perl in ubuntu always enforces HTTPS server certificate
From: janl, 2015-01-07