NAME¶
Net::SSLGlue::LWP - proper certificate checking for https in LWP
SYNOPSIS¶
use Net::SSLGlue::LWP SSL_ca_path => ...;
use LWP::Simple;
get( 'https://www....' );
{
local %Net::SSLGlue::LWP::SSLopts = %Net::SSLGlue::LWP::SSLopts;
# switch off verification
$Net::SSLGlue::LWP::SSLopts{SSL_verify_mode} = 0;
# or: set different verification policy, because cert does
# not conform to RFC (wildcards in CN are not allowed for https,
# but some servers do it anyway)
$Net::SSLGlue::LWP::SSLopts{SSL_verifycn_scheme} = {
wildcards_in_cn => 'anywhere',
check_cn => 'always',
};
}
DESCRIPTION¶
Net::SSLGlue::LWP modifies Net::HTTPS and LWP::Protocol::https so that
Net::HTTPS is forced to use IO::Socket::SSL instead of Crypt::SSLeay, and that
LWP::Protocol::https does proper certificate checking using the
"http" SSL_verify_scheme from IO::Socket::SSL.
Because LWP does not have a mechanism to forward arbitrary parameters for the
construction of the underlying socket these parameters can be set globally
when including the package, or with local settings of the
%Net::SSLGlue::LWP::SSLopts variable.
All of the "SSL_*" parameter from IO::Socket::SSL can be used; the
following parameters are especially useful:
- SSL_ca_path, SSL_ca_file
- Specifies the path or a file where the CAs used for checking the
certificates are located. This is typically "etc/ssl/certs" on
UNIX systems.
- SSL_verify_mode
- If set to 0, verification of the certificate will be disabled. By default
it is set to 1 which means that the peer certificate is checked.
- SSL_verifycn_name
- Usually the name given as the hostname in the constructor is used to
verify the identity of the certificate. If you want to check the
certificate against another name you can specify it with this
parameter.
SEE ALSO¶
IO::Socket::SSL, LWP, Net::HTTPS, LWP::Protocol::https
COPYRIGHT¶
This module is copyright (c) 2008, Steffen Ullrich. All Rights Reserved. This
module is free software. It may be used, redistributed and/or modified under
the same terms as Perl itself.