| Subject: | Ignores env variables when ssl_opts provided |
The LWP::UserAgent docs describe various environment variables that
provide default values for the keys in ssl_opts. What it doesn't say is
that if a ssl_opts hash is passed to the constructor *none* of those
environment variables are checked, even if they relate to a key that
isn't provided in that hash.
For example, if you say:
my $ua = LWP::UserAgent->new();
then the $ua will verify hostnames using $ENV{PERL_LWP_SSL_CA_FILE} or
$ENV{PERL_LWP_SSL_CA_PATH} (if those are set), or fall back to
Mozilla::CA if they aren't.
But if you say:
my $ua = LWP::UserAgent->new(ssl_opts => {verify_hostname => 1});
then the $ua will use only Mozilla::CA (ignoring
$ENV{PERL_LWP_SSL_CA_FILE} and $ENV{PERL_LWP_SSL_CA_PATH}).
If this is intended behavior, it's not documented very well. I would
expect that the default for SSL_ca_file would be independent of whether
verify_hostname was provided.
I've attached a patch that implements this behavior.
| Subject: | ssl_opts.patch.txt |
--- lib/LWP/UserAgent.pm 2011-03-09 02:20:26.000000000 -0600
+++ lib/LWP/UserAgent.pm 2011-03-16 12:47:28.644360100 -0500
@@ -41,8 +41,8 @@
my $timeout = delete $cnf{timeout};
$timeout = 3*60 unless defined $timeout;
my $local_address = delete $cnf{local_address};
- my $ssl_opts = delete $cnf{ssl_opts};
- unless ($ssl_opts) {
+ my $ssl_opts = delete $cnf{ssl_opts} || {};
+ unless (exists $ssl_opts->{verify_hostname}) {
# The processing of HTTPS_CA_* below is for compatiblity with Crypt::SSLeay
$ssl_opts = {};
if (exists $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME}) {
@@ -56,6 +56,8 @@
else {
$ssl_opts->{verify_hostname} = 1;
}
+ }
+ unless (exists $ssl_opts->{SSL_ca_file} or exists $ssl_opts->{SSL_ca_path}) {
if (my $ca_file = $ENV{PERL_LWP_SSL_CA_FILE} || $ENV{HTTPS_CA_FILE}) {
$ssl_opts->{SSL_ca_file} = $ca_file;
}