pkg-perl-maintainers team mailing list archive

[Erik Squires <erik.squires@xxxxxxxxx>]

The problem is fixed by LWP::Protocol::https version 6.06.  You can
either get it from there, or at least patch the bad method.  To make it
easier, here is the fix, below.  The issue seems to be the first else:

sub _extra_sock_opts
{
    my $self = shift;
    my %ssl_opts = %{$self->{ua}{ssl_opts} || {}};
    if (delete $ssl_opts{verify_hostname}) {
	$ssl_opts{SSL_verify_mode} ||= 1;
	$ssl_opts{SSL_verifycn_scheme} = 'www';
    }
    else {
	$ssl_opts{SSL_verify_mode} = 0;
    }
    if ($ssl_opts{SSL_verify_mode}) {
	unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
	    eval {
		require Mozilla::CA;
	    };
	    if ($@) {
		if ($@ =! /^Can't locate Mozilla\/CA\.pm/) {
		    $@ = <<'EOT';
Can't verify SSL peers without knowing which Certificate Authorities to trust

This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
environment variable or by installing the Mozilla::CA module.

To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
environment variable to 0.  If you do this you can't be sure that you
communicate with the expected peer.
EOT
		}
		die $@;
	    }
	    $ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
	}
    }
    $self->{ssl_opts} = \%ssl_opts;
    return (%ssl_opts, $self->SUPER::_extra_sock_opts);
}

-- 
You received this bug notification because you are a member of Debian
Perl Group, which is subscribed to libwww-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1408331

Title:
  libwww perl in ubuntu always enforces HTTPS server certificate

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/1408331/+subscriptions