Skip Menu |

This queue is for tickets about the LWP-Protocol-https CPAN distribution.

Report information
The Basics
Id: 81948
Status: resolved
Priority: 0/
Queue: LWP-Protocol-https
People
Owner: Nobody in particular
Requestors: parlay [...] yopmail.com
Cc: ether [...] cpan.org
tsibley [...] cpan.org
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Thu Dec 13 14:28:10 2012 parlay [...] yopmail.com - Ticket created
Subject: IO::Socket::SSL now issues warning when used with LWP's verify_hostname=>0
when setting ssl_opts => {verify_hostname => 0} in LWP, this results in the following warning from new versions of IO::Socket::SSL: ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
  Tue Dec 18 09:55:09 2012 SREZIC [...] cpan.org - Correspondence added
RT-Send-CC: srezic [...] iconmobile.com
Same warning when using the environment variable: $ env PERL_LWP_SSL_VERIFY_HOSTNAME=0 /opt/perl/bin/lwp-request https://example.org ******************************************************************* Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER together with SSL_ca_file|SSL_ca_path for verification. If you really don't want to verify the certificate and keep the connection open to Man-In-The-Middle attacks please set SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application. ******************************************************************* at /opt/perl-5.14.2/lib/site_perl/5.14.2/LWP/Protocol/http.pm line 31.
  Tue Dec 18 09:55:10 2012 The RT System itself - Status changed from 'new' to 'open'
  Wed Jan 30 15:23:11 2013 pravus [...] cpan.org - Correspondence added
It looks to me like SSL_verify_mode isn't being propagated correctly when verify_hostname is set to 0. I've attached a patch that I think will fix this. As a workaround, you can set both verify_hostname and SSL_verify_mode in ssl_opts to prevent the warning from appearing: my $ua = LWP::UserAgent->new( ssl_opts => { verify_hostname => 0, SSL_verify_mode => 0, } ); I hope this helps.
Subject: LWP-Protocol-https-6.03-warning.patch
diff -r 0b2304015803 lib/LWP/Protocol/https.pm --- a/lib/LWP/Protocol/https.pm Wed Jan 30 14:06:01 2013 -0600 +++ b/lib/LWP/Protocol/https.pm Wed Jan 30 14:09:53 2013 -0600 @@ -19,6 +19,9 @@ $ssl_opts{SSL_verify_mode} ||= 1; $ssl_opts{SSL_verifycn_scheme} = 'www'; } + else { + $ssl_opts{SSL_verify_mode} = 0; + } if ($ssl_opts{SSL_verify_mode}) { unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) { eval {
  Tue Apr 23 22:27:08 2013 dagolden [...] cpan.org - Correspondence added
Ping. Could we please get this patch applied and a new release made to CPAN?
  Thu Apr 25 11:00:33 2013 dagolden [...] cpan.org - Correspondence added
I have applied the patch and send a pull request: https://github.com/libwww-perl/lwp-protocol-https/pull/4
  Mon Apr 29 17:33:02 2013 GAAS [...] cpan.org - Correspondence added
Thanks. LWP-Protocol-https-6.04 has now been uploaded to CPAN with your fix.
  Mon Apr 29 17:33:02 2013 GAAS [...] cpan.org - Status changed from 'open' to 'resolved'
  Sat May 03 17:22:09 2014 Steffen_Ullrich [...] genua.de - Correspondence added
On Mon Apr 29 17:33:02 2013, GAAS wrote: Show quoted text
> Thanks. LWP-Protocol-https-6.04 has now been uploaded to CPAN with your fix.
The fix is wrong. Disable hostname verification should not disable certificate verification, but only set SSL_verifycn_mode to 'none'. The real issue would be the failing propagation of SSL_verify_mode at all, e.g. the warning came if SSL_verify_mode was undef and setting it to 1 would have fixed the problem also. But it is not clear to me how this could fail - but because there is no software version associated with this bug it is hard to reproduce. Anyway, the Debian guys found this problem in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579 and a fix is getting prepared, so this is only a note, that the previous patch introduced another problem.
  Thu Jul 17 15:35:06 2014 ether [...] cpan.org - Correspondence added
See also http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3230.html
  Thu Jul 17 15:35:19 2014 ether [...] cpan.org - Cc ETHER added
  Thu Jul 17 18:10:39 2014 tsibley [...] cpan.org - Cc TSIBLEY added