| Subject: | verify_hostname defaults to 0 if ssl_opts provided |
The LWP::UserAgent docs describe how the verify_hostname field of
ssl_opts is initialized. What they don't mention is that if you provide
a ssl_opts hash to the constructor, then verify_hostname defaults to 0,
not 1. In other words, if you say:
my $ua = LWP::UserAgent->new(ssl_opts => {SSL_ca_file => 'myCA.crt'});
You have just quietly disabled hostname verification. I found this
rather surprising, and it seems like a dangerous feature. If I hadn't
run a test with the (intentionally) wrong CA cert, I might not have
noticed that hostname checks were disabled.
This is related to RT#66663. My suggested patch there would have solved
this, also.