[SOLVED] How to set PERL_LWP_SSL_VERIFY_HOSTNAME to 0

karlschweigert · 03-20-2011, 03:14 PM

My server recently upgraded to LWP 6.0 and I need to turn off SSL Verification. Can someone tell me, step by step, how to do so? The documentation says set PERL_LWP_SSL_VERIFY_HOSTNAME to 0 but I don't know where or how to accomplish this. Thanks!

Below is the error message that I get when running an IPN to CCBILL.

Can't connect to datalink.ccbill.com:443 (Crypt-SSLeay can't verify hostnames) Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0 at /usr/lib/perl5/site_perl/5.8.8/LWP/Protocol/http.pm line 51.

smoker · 03-21-2011, 12:52 AM

Have you looked at /usr/lib/perl5/site_perl/5.8.8/LWP/Protocol/http.pm line 51 ?

karlschweigert · 03-21-2011, 01:50 AM

Thanks for the reply. I did check and line 51 reads:

Code:

die "$status\n\n$@";

The whole block of text is:

Code:

41 unless ($sock) {
42        # IO::Socket::INET leaves additional error messages in $@
43        my $status = "Can't connect to $host:$port";
44        if ($@ =~ /\bconnect: (.*)/ ||
45            $@ =~ /\b(Bad hostname)\b/ ||
46            $@ =~ /\b(certificate verify failed)\b/ ||
47            $@ =~ /\b(Crypt-SSLeay can't verify hostnames)\b/
48        ) {
49            $status .= " ($1)";
50        }
51        die "$status\n\n$@";
60    }

Which still leaves me with two problems:

1.) I don't know what value to change. Do I need to make the $1 = $0 in line 49?
2.) I don't know how to change it! When I type in "vi http.pm" and "i" to make changes, I get the message:

Code:

W10: Warning: Changing a readonly file

and I am unable to edit it as I normally do.

smoker · 03-21-2011, 12:37 PM

The problem is not there, that is where the error arises. You would also need to be root to edit that file I suspect.

Anyway, you can specify the environment variables in your script, I suggest near the beginning of the code.
Add ...

Code:

$ENV{'PERL_LWP_SSL_VERIFY_HOSTNAME'} = 0;

karlschweigert · 03-21-2011, 12:41 PM

Thanks smoker! I'll have the script modified to add the environment variable!

serotta1958 · 08-22-2011, 11:44 AM

Smoker,

you resolution worked great but I would love to understand the internet architecture involved here.
what does PERL_LWP_SSL_VERIFY_HOSTNAME do?

is it comparing an SSL certificate to a hostname or is the SSL cert on the destination out of date?

jantman · 02-23-2012, 11:18 AM

Quote:

Originally Posted by serotta1958

Smoker,

you resolution worked great but I would love to understand the internet architecture involved here.
what does PERL_LWP_SSL_VERIFY_HOSTNAME do?

is it comparing an SSL certificate to a hostname or is the SSL cert on the destination out of date?

In case anyone else finds this post, and for the sake of completeness...
Yes, serotta, the first option that you mentioned. By default, SSL/HTTPS clients check the Subject name specified in the certificate against the hostname, and report an error if they do not match. This is commonly the case with many automatically generated self-signed certificates, or if you use a CNAME to reach a SSL host (and the cert isn't generated with Subject Alternative Names).

In simple terms, this is LWP's version of the "Certificate Name Mismatch" errors displayed by common graphical web browsers.