LWP SSL verify_hostname Setting

PKI Tutorials - Herong's Tutorial Examples

∟Perl Scripts Communicating with HTTPS Servers

∟LWP SSL verify_hostname Setting

This section provides a tutorial example on using the SSL verify_hostname setting and related settings: SSL_ca_path and SSL_ca_file.

After reading the LWP library documentation again at https://metacpan.org/pod/LWP, I see that it supports 3 SSL related options:

PERL_LWP_SSL_VERIFY_HOSTNAME - A Boolean flag to turn on or turn off the server certificate verification. The default is TRUE. PERL_LWP_SSL_VERIFY_HOSTNAME can be specified in a couple of ways.

Set environment variable: PERL_LWP_SSL_VERIFY_HOSTNAME=1.
Call the LWP::UserAgent object function: $ua->ssl_opts("verify_hostname" => 1).

PERL_LWP_SSL_CA_PATH - The path to a directory containing files containing Certificate Authority certificates. The default is to use Perl default folder of root CA certificates. PERL_LWP_SSL_CA_PATH can be specified in a couple of ways.

Set environment variable: PERL_LWP_SSL_CA_PATH=\herong\CertsFolder
Call the LWP::UserAgent object function: $ua->ssl_opts("SSL_ca_path" => "\herong\CertsFolder") Of course, this will override the PERL_LWP_SSL_CA_PATH environment variable.

PERL_LWP_SSL_CA_FILE - The path to a file containing Certificate Authority certificates. PERL_LWP_SSL_CA_FILE can be specified in a couple of ways.

Set environment variable: PERL_LWP_SSL_CA_FILE=\herong\MyCertsFile.crt If PERL_LWP_SSL_CA_PATH is given, PERL_LWP_SSL_CA_FILE will be ignored.
Call the LWP::UserAgent object function: $ua->ssl_opts("SSL_ca_file" => "\herong\MyCertsFile.crt") Of course, this will override the PERL_LWP_SSL_CA_FILE environment variable. If "SSL_ca_path" is specified, "SSL_ca_file" will not be accepted.

Here is my Perl script that proves the LWP library is verifying server certificate:

#- LWP_HTTPS_Verify_Hostname.pl
#- Copyright (c) 2010-2018 HerongYang.com. All Rights Reserved.
#
use LWP;
use LWP::UserAgent;

my ($url) = @ARGV;
my $client = LWP::UserAgent->new;
my $request = HTTP::Request->new('GET', 'https://login.yahoo.com');

my @keys = $client->ssl_opts;
foreach $k (@keys) {
   $v = $client->ssl_opts($k);
   print "$k = ($v)\n";
}

# $client->ssl_opts("verify_hostname" => 1);
# $client->ssl_opts("SSL_ca_file" => "junk.crt");
$client->ssl_opts("SSL_ca_path" => ".");

my @keys = $client->ssl_opts;
foreach $k (@keys) {
   $v = $client->ssl_opts($k);
   print "$k = ($v)\n";
}

my $response = $client->request($request);
$response->is_success or
    die "Failed to GET '$url': ", $response->status_line;

print "Request:\n";
print $request->as_string;
print "Response:\n";
print $response->as_string;

Now let's run this script to connect the yahoo login HTTPS server again.

herong> perl LWP_HTTPS_Verify_Hostname.pl https://login.yahoo.com

verify_hostname = (1)

SSL_ca_path = (.)
verify_hostname = (1)

Failed to GET '': 500 Can't connect to login.yahoo.com:443
   (certificate verify failed)
   at C:\herong\LWP_HTTPS_Verify_Host.pl line 28.

The "certificate verify failed" error confirms that server certificate verification was performed and failed. This is expected because SSL_ca_path is set to the current directory, and there is no root CA certificates.

You can fix the error in 3 two ways:

Turn off PERL_LWP_SSL_VERIFY_HOSTNAME by $client->ssl_opts("verify_hostname" => 0). This is not recommended, unless you trust Yahoo Websites.
Download and save the root CA certificate used by Yahoo in the current directory.
Remove the $client->ssl_opts("SSL_ca_path" => ".") call to use the Perl default root CA setting, which should include Yahoo's root CA.