This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in affected versions of Fedora. For comments that are specific to the vulnerability please use bugs filed against the "Security Response" product referenced in the "Blocks" field. For more information see: http://fedoraproject.org/wiki/Security/TrackingBugs When creating a Bodhi update request, use the bodhi submission link noted in the next comment(s). This will include the bug IDs of this tracking bug as well as the relevant top-level CVE bugs. Please also mention the CVE IDs being fixed in the RPM changelog and the Bodhi notes field when available. NOTE: this issue affects multiple supported versions of Fedora. While only one tracking bug has been filed, please correct all affected versions at the same time. If you need to fix the versions independent of each other, you may clone this bug as appropriate. [bug automatically created by: add-tracking-bugs]
Use the following update submission link to create the Bodhi request for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. IMPORTANT: ensure that the "Close bugs when update is stable" option remains checked. Bodhi update submission link: https://admin.fedoraproject.org/updates/new/?type_=security&bugs=1094440,1094442
perl-LWP-Protocol-https-6.04-4.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/perl-LWP-Protocol-https-6.04-4.fc20
perl-LWP-Protocol-https-6.04-2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/perl-LWP-Protocol-https-6.04-2.fc19
perl-LWP-Protocol-https-6.04-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
The patch used between -3 and -4 is - $ssl_opts{SSL_verify_mode} = 0; + if ( $Net::HTTPS::SSL_SOCKET_CLASS eq 'Net::SSL' ) { + $ssl_opts{SSL_verifycn_scheme} = ''; + } else { + $ssl_opts{SSL_verifycn_scheme} = 'none'; + } Not sure what the intention was but with the 6.04-4 and website with self-signed certificate like, PERL_LWP_SSL_VERIFY_HOSTNAME=0 HEAD -Se https://www.pcwebshop.co.uk/ ; echo $? is now broken: HEAD https://www.pcwebshop.co.uk/ 500 Can't connect to www.pcwebshop.co.uk:443 Content-Type: text/plain Client-Date: Fri, 23 May 2014 09:36:01 GMT Client-Warning: Internal response 1 This used to work with 6.04-3: # PERL_LWP_SSL_VERIFY_HOSTNAME=0 HEAD -Se https://www.pcwebshop.co.uk/ ; echo $? HEAD https://www.pcwebshop.co.uk/ 200 OK Connection: close Date: Fri, 23 May 2014 09:36:12 GMT Server: Apache Content-Type: text/html; charset=UTF-8 Client-Date: Fri, 23 May 2014 09:36:12 GMT Client-Peer: 217.160.239.225:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info Client-SSL-Cert-Subject: /C=US/ST=Virginia/L=Herndon/O=Parallels/OU=Parallels Panel/CN=Parallels Panel/emailAddress=info Client-SSL-Cipher: DHE-RSA-AES256-SHA Client-SSL-Socket-Class: IO::Socket::SSL Client-SSL-Warning: Peer certificate not verified Set-Cookie: wptouch-pro-cache-state=desktop; expires=Fri, 23-May-2014 10:36:12 GMT; path=/ X-Pingback: https://www.pcwebshop.co.uk/xmlrpc.php X-Powered-By: PleskLin 0 It's because it gets translated to call # perl -le 'use LWP::Protocol::https; my $sock = LWP::Protocol::https::Socket->new(Timeout => 180, PeerAddr => "www.pcwebshop.co.uk", SSL_verify_mode => 0, PeerPort => "443"); print $sock; print $IO::Socket::SSL::SSL_ERROR;' LWP::Protocol::https::Socket=GLOB(0x10b1a98) SSL wants a read first # in 6.04-3 (note the SSL_verify_mode => 0) but to # perl -le 'use LWP::Protocol::https; my $sock = LWP::Protocol::https::Socket->new(Timeout => 180, PeerAddr => "www.pcwebshop.co.uk", SSL_verifycn_schema => "none", PeerPort => "443"); print $sock; print $IO::Socket::SSL::SSL_ERROR;' IO::Socket::IP configuration failed SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in 6.04-4 -- note there is no SSL_verify_mode => 0 there in the parameters, just SSL_verifycn_schema => "none".
Man page of IO::Socket::SSL does not list the SSL_verifycn_schema option at all, just SSL_verify_mode with the default of SSL_VERIFY_PEER, which sadly the new code in perl-LWP-Protocol-https no longer changes.
perl-LWP-Protocol-https-6.04-2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Thank you for the report. However there are two mistakes: (1) The IO::Socket::SSL::new option is "SSL_verifycn_scheme", not "SSL_verifycn_schema". Thus you could not find it in the documentation. (2) The 6.04-3 behavior was flawed. As you can read in the upstream bug report, the "SSL_verify_mode" option is about checking hostname. It's not intended to control certificate validation. The same applies to "PERL_LWP_SSL_VERIFY_HOSTNAME" environment variable. 6.04-4 has restored the behavior which presented before 6.04.
(In reply to Petr Pisar from comment #9) > Thank you for the report. However there are two mistakes: > > (1) The IO::Socket::SSL::new option is "SSL_verifycn_scheme", not > "SSL_verifycn_schema". Thus you could not find it in the documentation. Ahh, sorry about that . > (2) The 6.04-3 behavior was flawed. As you can read in the upstream bug > report, the "SSL_verify_mode" option is about checking hostname. It's not > intended to control certificate validation. The same applies to > "PERL_LWP_SSL_VERIFY_HOSTNAME" environment variable. 6.04-4 has restored the > behavior which presented before 6.04. So what is the way for making HTTP requests to websites with self-signed certificates from perl, if the user does not care about the CA chain validation? In other way, what is the way for making LWP behave the same way it used to behave with pre-6 version?
There is no LWP environment variable or command line option to control that currently. It's possible to pass ssl_opts => {SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE} to LWP::UserAgent::new if you write your own LWP application. This is also discussed in the upstream report. The reason why the PERL_LWP_SSL_VERIFY_HOSTNAME seemed to work before is the IO::Socket::SSL < 1.950 defaulted to SSL_VERIFY_NONE. This has not been true since Fedora 20. Unfortunately Fedora 20 delivered the flawed LWP::Protocol::https, so it was not visible. I agree with you that there should be way how to disable the certificate validation externally.
I created a request for adding an option to disable the certificate validation (bug #1101265).