* Jakub Wilk <jw...@debian.org>, 2014-05-01, 17:24:
If LWP uses IO::Socket::SSL as SSL socket class (this is the default),
setting HTTPS_CA_DIR or HTTPS_CA_FILE environment variable disables(!)
server cerificate verification:
This is what's going on:
In LWP::UserAgent we have this:
elsif ($ENV{HTTPS_CA_FILE} || $ENV{HTTPS_CA_DIR}) {
# Crypt-SSLeay compatibility (verify peer certificate; but not the
hostname)
$ssl_opts->{verify_hostname} = 0;
$ssl_opts->{SSL_verify_mode} = 1;
}
But in LWP::Protocol::HTTPS we have this:
if (delete $ssl_opts{verify_hostname}) {
$ssl_opts{SSL_verify_mode} ||= 1;
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
$ssl_opts{SSL_verify_mode} = 0;
}
So the intention was to disable only hostname verification, for
compatibility with Crypt::SSLeay (why?!), but the effect is that the
SSL_verify_mode is set to 0.
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
