[Bug 1408331] Re: libwww perl in ubuntu always enforces HTTPS server certificate
sullr
1408331 at bugs.launchpad.net
Wed Jan 7 22:33:32 UTC 2015
The option verify_hostname is like the name suggests only responsible
for verifying the host name against the certificate. It does not control
the verification of the certificate chain or any other certificate
validations, even if it can be used like this in some versions of
LWP::Protocol::https. But this is actually a bug, see https://github.com
/libwww-perl/lwp-protocol-https/pull/14 (very long discussion).
The only documentation of the option verify_hostname in LWP::UserAgent
says:
"verify_hostname" => $bool
When TRUE LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate
matching the expected hostname.
Which confirms that this option cares about verifying the host name
only.
To disable any kind of certificate validation you have to use ssl_opts
to set SSL_verify_mode to 0 (i.e. SSL_VERIFY_NONE).
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libwww-perl in Ubuntu.
https://bugs.launchpad.net/bugs/1408331
Title:
libwww perl in ubuntu always enforces HTTPS server certificate
Status in libwww-perl package in Ubuntu:
New
Bug description:
Given this simple code:
$ua = LWP::UserAgent->new;
$ua->agent("netview");
$ua->protocols_allowed( [ 'https' ] );
$ua->ssl_opts( verify_hostname => 0 );
push @{ $ua->requests_redirectable }, 'POST', 'GET';
my $req = HTTP::Request->new( GET =>
"https://$server/blc/api/routers/type/pe" );
$req->content_type('application/json');
$req->authorization_basic($apipw->{APIUSER}, $apipw->{APIPW});
my $res = $ua->request($req);
LOGDIE "Error getting PE routers via REST to $server: ".$res->status_line.
"(".$res->content.")"
if ! $res->is_success;
I get this message:
Error getting PE routers via REST to blc.serv.as2116.net: 500 Can't connect to blc.serv.as2116.net:443 (certificate verify failed)(Can't connect to blc.serv.as2116.net:443 (certificate verify failed)
LWP::Protocol::https::Socket: SSL connect attempt failed with unknown
error error:14090086:SSL
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at
/usr/share/perl5/LWP/Protocol/http.pm line 41.
Strace shows that the code is looking for a CA file from the OpenSSL
package. blc.serv.as2116.net's sertificate is signed by a uncommon CA
so this fails.
BUT it should not be trying to verify this at all due to the
verify_hostname setting.
In HTTP::Protocol::https one finds a _extra_sock_opts function that's
different than the official LWP release. I replaced it with the this
LWP 6.04 code:
sub _extra_sock_opts
{
my $self = shift;
my %ssl_opts = %{$self->{ua}{ssl_opts} || {}};
if (delete $ssl_opts{verify_hostname}) {
$ssl_opts{SSL_verify_mode} ||= 1;
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
else {
$ssl_opts{SSL_verify_mode} = 0;
}
if ($ssl_opts{SSL_verify_mode}) {
unless (exists $ssl_opts{SSL_ca_file} || exists $ssl_opts{SSL_ca_path}) {
eval {
require Mozilla::CA;
};
if ($@) {
if ($@ =! /^Can't locate Mozilla\/CA\.pm/) {
$@ = <<'EOT';
Can't verify SSL peers without knowing which Certificate Authorities to trust
This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
envirionment variable or by installing the Mozilla::CA module.
To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
envirionment variable to 0. If you do this you can't be sure that you
communicate with the expected peer.
EOT
}
die $@;
}
$ssl_opts{SSL_ca_file} = Mozilla::CA::SSL_ca_file();
}
}
$self->{ssl_opts} = \%ssl_opts;
return (%ssl_opts, $self->SUPER::_extra_sock_opts);
}
Then I get this instead
Error getting PE routers via REST to blc.serv.as2116.net: 401
Unauthorized({"error":{"code":401,"message":"Unauthorized: Basic
Authentication Required"}})
which means that the SSL handshake was completed.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: libwww-perl 6.05-2
ProcVersionSignature: Ubuntu 3.13.0-43.72-generic 3.13.11.11
Uname: Linux 3.13.0-43-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.6
Architecture: amd64
Date: Wed Jan 7 16:05:09 2015
InstallationDate: Installed on 2014-12-19 (19 days ago)
InstallationMedia: Ubuntu-Server 14.04 LTS "Trusty Tahr" - Release amd64 (20140416.2)
PackageArchitecture: all
SourcePackage: libwww-perl
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libwww-perl/+bug/1408331/+subscriptions
More information about the foundations-bugs
mailing list