LWP SSL verify_hostname Setting

This section provides a tutorial example on using the SSL verify_hostname setting and related settings: SSL_ca_path and SSL_ca_file.

After reading the LWP library documentation again at https://metacpan.org/pod/LWP, I see that it supports 3 SSL related options:

PERL_LWP_SSL_VERIFY_HOSTNAME - A Boolean flag to turn on or turn off the server certificate verification. The default is TRUE. PERL_LWP_SSL_VERIFY_HOSTNAME can be specified in a couple of ways.

PERL_LWP_SSL_CA_PATH - The path to a directory containing files containing Certificate Authority certificates. The default is to use Perl default folder of root CA certificates. PERL_LWP_SSL_CA_PATH can be specified in a couple of ways.

PERL_LWP_SSL_CA_FILE - The path to a file containing Certificate Authority certificates. PERL_LWP_SSL_CA_FILE can be specified in a couple of ways.

Here is my Perl script that proves the LWP library is verifying server certificate:

#- LWP_HTTPS_Verify_Hostname.pl
#- Copyright (c) 2018 by Dr. Herong Yang, herongyang.com
#
use LWP;
use LWP::UserAgent;

my ($url) = @ARGV;
my $client = LWP::UserAgent->new;
my $request = HTTP::Request->new('GET', 'https://login.yahoo.com');

my @keys = $client->ssl_opts;
foreach $k (@keys) {
   $v = $client->ssl_opts($k);
   print "$k = ($v)\n";
}

# $client->ssl_opts("verify_hostname" => 1);
# $client->ssl_opts("SSL_ca_file" => "junk.crt");
$client->ssl_opts("SSL_ca_path" => ".");

my @keys = $client->ssl_opts;
foreach $k (@keys) {
   $v = $client->ssl_opts($k);
   print "$k = ($v)\n";
}

my $response = $client->request($request);
$response->is_success or
    die "Failed to GET '$url': ", $response->status_line;

print "Request:\n";
print $request->as_string;
print "Response:\n";
print $response->as_string;

Now let's run this script to connect the yahoo login HTTPS server again.

C:\herong>LWP_HTTPS_Verify_Hostname.pl https://login.yahoo.com

verify_hostname = (1)

SSL_ca_path = (.)
verify_hostname = (1)

Failed to GET '': 500 Can't connect to login.yahoo.com:443
   (certificate verify failed)
   at C:\herong\LWP_HTTPS_Verify_Host.pl line 28.

The "certificate verify failed" error confirms that server certificate verification was performed and failed. This is expected because SSL_ca_path is set to the current directory, and there is no root CA certificates.

You can fix the error in 3 two ways:

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with Google Chrome

 Using HTTPS with Mozilla Firefox

 HTTPS with Microsoft Edge

 Using HTTPS with Apple Safari

 HTTPS with IE (Internet Explorer)

 Android and Server Certificate

 iPhone and Server Certificate

 Windows Certificate Stores and Console

 RDP (Remote Desktop Protocol) and Server Certificate

 macOS Certificate Stores and Keychain Access

Perl Scripts Communicating with HTTPS Servers

 Installing Crypt::SSLeay 0.72 on Windows

 LWP Library Supports HTTPS

LWP SSL verify_hostname Setting

 LWP SSL List of Root CA Certificates

 Crypt::SSLeay Test Perl Script

 HTTPS Request and Response Example

 Asking Crypt::SSLeay to Verify Server's Certificate

 Crypt::SSLeay Failing to Verify Server's Certificate

 Multiple CA Certificates in a Single File

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Comodo Free Personal Certificate

 Digital Signature - Microsoft Word

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 Full Version in PDF/EPUB