Ignore SSL certificates in LWP

Ever since release 6.00, Perl’s LWP validates the server’s SSL certificate on HTTPS requests. By default, LWP will use the certificate bundle provided by Mozilla::CA to verify the server certificate. This is detailed in the changelog for 6.00.

There are two way of reverting to the old behaviour (ignore server certificate):

Setting an environment variable, ie:

PERL_LWP_SSL_VERIFY_HOSTNAME=0

Passing an option to the LWP::UserAgent object asking for certificate validation to be ignored, ie:

    use LWP::UserAgent;
    use IO::Socket::SSL qw();

    my $ua = LWP::UserAgent->new(
        ssl_opts => {
            SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
            verify_hostname => 0,
#            SSL_hostname => '',# Set SSL_hostname if you do want to verify the hostname
                                # (ie, when using SNI https://en.wikipedia.org/wiki/Server_Name_Indication)
        }
    );

The SSL_hostname option is only required if you intend to fake the “Host” HTTP header ( so that it doesn’t mismatch with a similar header sent in the SSL handshake, see Server Name Indication ).

Ignore SSL certificates in LWP