745800 – perl-libwww-perl: add support for setting SSL options in LWP::UserAgent

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 745800 - perl-libwww-perl: add support for setting SSL options in LWP::UserAgent

Summary: perl-libwww-perl: add support for setting SSL options in LWP::UserAgent

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	perl-libwww-perl
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Petr Pisar
QA Contact:	Martin Kyral
Docs Contact:	Lenka Špačková
URL:
Whiteboard:
Depends On:
Blocks:	947781 1159824 1254457 1269913
TreeView+	depends on / blocked

Reported:	2011-10-13 13:15 UTC by Tomas Hoger
Modified:	2016-08-30 11:12 UTC (History)
CC List:	8 users (show)
Fixed In Version:	perl-libwww-perl-5.833-3.el6
Doc Type:	Release Note
Doc Text:	LWP now supports host name and certificate verification Certificate and host-name verification, which is disabled by default, has been implemented in the World Wide Web library for Perl (LWP, also called libwww-perl). This allows users of the LWP::UserAgent Perl module to verify the identity of HTTPS servers. To enable the verification, make sure the IO::Socket::SSL Perl module is installed and the `PERL_LWP_SSL_VERIFY_HOSTNAME` environment variable set to `1` or that the application is modified to set the `ssl_opts` option correctly. See LWP::UserAgent POD for more details.
Clone Of:
Environment:
Last Closed:	2016-05-10 21:04:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Back-port ssl_opts to libwww-perl-5.833 (11.45 KB, patch) 2015-12-08 10:08 UTC, Petr Pisar	no flags	Details \| Diff
Disable hostname verification by default for 5.833 (1.21 KB, patch) 2015-12-08 10:09 UTC, Petr Pisar	no flags	Details \| Diff
Test case (3.40 KB, application/octet-stream) 2015-12-08 11:57 UTC, Petr Pisar	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:0817	0	normal	SHIPPED_LIVE	perl-libwww-perl enhancement update	2016-05-10 22:39:43 UTC

Internal Links: 1355802 1365490

Description Tomas Hoger 2011-10-13 13:15:46 UTC

Description of problem:
LWP versions before 6.0 do not perform SSL certificate checking and certificate hostname checking (see bug #705044 for details).  Version 6.0 adds LWP::UserAgent function ssl_opts that can be used to change SSL verification settings (i.e. if certificate verification should be performed, file or path to CA certificate(s), whether host name checking should be done), and also enable all checks by default.

While enabling all checks by default is not really an option for released product, we should consider adding support for setting SSL options and defaulting to disabled checks for backwards compatibility.

In current version, LWP user can enable IO::Socket::SSL checks using the IO::Socket::SSL::set_ctx_defaults, which serves as a workaround for a direct way to set SSL options for a specific LWP::UserAgent instance.  An example can be found at:
  https://bugzilla.redhat.com/show_bug.cgi?id=705044#c7

Petr has already looked into what changes need to be backported to provide ssl_opts function in LWP::UserAgent:
  https://bugzilla.redhat.com/show_bug.cgi?id=705044#c10
  https://bugzilla.redhat.com/show_bug.cgi?id=705044#c12

Version-Release number of selected component (if applicable):
perl-libwww-perl-5.833-2.el6

Comment 2 RHEL Program Management 2011-10-13 13:49:36 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.

Comment 4 Suzanne Logcher 2012-01-31 21:17:22 UTC

This request was evaluated by Red Hat Product Management for inclusion in the
current release of Red Hat Enterprise Linux. Because the affected component is
not scheduled to be updated in the current release, Red Hat is unfortunately
unable to address this request at this time.  It has been proposed for the next
release. If you would like it considered as an exception in the current
release, please ask your support representative.

Comment 5 RHEL Program Management 2013-10-14 00:56:08 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 8 Petr Pisar 2015-12-08 10:08:49 UTC

Created attachment 1103499 [details]
Back-port ssl_opts to libwww-perl-5.833

Comment 9 Petr Pisar 2015-12-08 10:09:23 UTC

Created attachment 1103500 [details]
Disable hostname verification by default for 5.833

Comment 12 Petr Pisar 2015-12-08 11:55:16 UTC

How to test:

(1) Prepare a private key and two X.509 certificates. One issued for a hostname you will connect to, another one for something else.
(2) Start an HTTPS server with the certificate.
(3) Perform an HTTP request with an LWP::UserAgent client to the server.
(4) Observe the status report of the LWP::UserAgent client.
Before: The client performs the request regardless of the server certificate.
After: The client performs the request regardless of the server certificate. However, if PERL_LWP_SSL_VERIFY_HOSTNAME environment variable is set to "1", the request will be aborted if the server's certificate is not trusted or is issued for non-matching certificate.

Repeat the test with various combinations of server's certificate, authority's certificate, and PERL_LWP_SSL_VERIFY_HOSTNAME value. Please note that default behaviour must match PERL_LWP_SSL_VERIFY_HOSTNAME=0 behaviour and that PERL_LWP_SSL_VERIFY_HOSTNAME=1 is supported only if IO::Socket::SSL Perl module is installed.

Comment 13 Petr Pisar 2015-12-08 11:57:50 UTC

Created attachment 1103562 [details]
Test case

You can use this script and the certificates and set various environment variables to perform the testing.

Comment 16 errata-xmlrpc 2016-05-10 21:04:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-0817.html

Comment 18 Pasi Sjöholm 2016-08-09 11:29:26 UTC

You know that this "enhancement" also broke both $ENV{HTTPS_CERT_FILE} and $ENV{HTTPS_KEY_FILE} usage with the SSL-library defaulting to IO::Socket:SSL instead of Net:SSL. You should have implemented full compability between the old and new before releasing this "fix".

Comment 19 Petr Pisar 2016-08-30 10:43:02 UTC

You can export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL to use Net:SSL and its HTTPS_ environment variables.

Comment 20 Pasi Sjöholm 2016-08-30 11:12:37 UTC

(In reply to Petr Pisar from comment #19)
> You can export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL to use Net:SSL and
> its HTTPS_ environment variables.

Sure and it is not like I could not fix the issue itself but the thing was that the update actually broke the API currently in use and there were no warnings in the release notes that this would happen.

Anyway, there is actually a bug about this issue https://bugzilla.redhat.com/show_bug.cgi?id=1365490 and we should probably continue discussion on there.

Note You need to log in before you can comment on or make changes to this bug.