Ignore SSL certificates in LWP

Ever since release 6.00, Perl’s LWP validates the server’s SSL certificate on HTTPS requests. By default, LWP will use the certificate bundle provided by Mozilla::CA to verify the server certificate. This is detailed in the changelog for 6.00.

There are two way of reverting to the old behaviour (ignore server certificate):

Setting an environment variable, ie:

PERL_LWP_SSL_VERIFY_HOSTNAME=0

Passing an option to the LWP::UserAgent object asking for certificate validation to be ignored, ie:

    use LWP::UserAgent;
    use IO::Socket::SSL qw();

    my $ua = LWP::UserAgent->new(
        ssl_opts => {
            SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
            verify_hostname => 0,
#            SSL_hostname => '',# Set SSL_hostname if you do want to verify the hostname
                                # (ie, when using SNI https://en.wikipedia.org/wiki/Server_Name_Indication)
        }
    );

The SSL_hostname option is only required if you intend to fake the “Host” HTTP header ( so that it doesn’t mismatch with a similar header sent in the SSL handshake, see Server Name Indication ).

Ignore SSL certificates in LWP

2 thoughts on “Ignore SSL certificates in LWP

  1. Tom Ritsema says:

    Thanks for your post. There is however a small typo (the ssl_opts is not closed with a curly bracket).
    I assume this is you meant:

    my $ua = LWP::UserAgent->new(
    ssl_opts => {
    SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
    verify_hostname => 0,
    # SSL_hostname => ”,# Set SSL_hostname if you do want to verify the hostname
    # (ie, when using SNI https://en.wikipedia.org/wiki/Server_Name_Indication)
    }
    );

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s