Bug #112145 for LWP-Protocol-https: LWP::Protocol::https - SNI support not used for proxy connect

Hi, I encountered an error trying to use LWP::Protocol::https to connect to a remote SSL website via a proxy – it was returning a hostname verification error: SSL upgrade failed: hostname verification failed at C:/Perl64/lib/LWP/Protocol/http.pm line 203. The same request worked fine when going directly (not via a proxy), with no certificate issues. On closer inspection, it turns out the host I was connecting to was using SNI to host multiple SSL websites, and the ‘default’ site (when no SNI information is present in the ClientHello message sent by the client in the SSL handshake) on that host was not the one I was trying to get to. The underlying IO::Socket::SSL does have SNI support, however this is not being triggered when using LWP::Protocol::https via a proxy CONNECT tunnel, as the requested hostname isn’t being passed in. This appears to be straightforward to fix, by adding an ‘SSL_hostname’ option to the hash passed to IO::Socket::SSL::start_SSL(): --- C:\Perl64\lib\LWP\Protocol\https.pm.orig 2014-04-18 08:33:26.000000000 +1000 +++ C:\Perl64\lib\LWP\Protocol\https.pm 2016-02-19 10:41:30.000000000 +1000 @@ -150,12 +150,13 @@ # IO::Socket::SSL, but code will only be called in this case if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) { *_upgrade_sock = sub { my ($self,$sock,$url) = @_; $sock = LWP::Protocol::https::Socket->start_SSL( $sock, SSL_verifycn_name => $url->host, + SSL_hostname => $url->host, $self->_extra_sock_opts, ); $@ = LWP::Protocol::https::Socket->errstr if ! $sock; return $sock; } } Module version: LWP-Protocol-https-6.06 This is perl 5, version 22, subversion 1 (v5.22.1) built for MSWin32-x64-multi-thread Binary build 2201 [299574] provided by ActiveState http://www.ActiveState.com Built Jan 4 2016 12:12:58 Regards, Andy