7

Am running into an issue connecting on a Ubuntu machine while my other machine works fine. The difference between both is the Ubuntu version and the SSLeay version but i can't narrow down what the issue is.

I already did the following: a) add the environment variable: PERL_LWP_SSL_VERIFY_HOSTNAME with a value of 0 b) add the $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; to the VICommon.pm file

Both the above ones didn't work. I can't figure out why it doesn't work on my second machine.

Ubuntu 12.10 (Works)

$perl /usr/lib/vmware-vcli/apps/general/connect.pl --url https:///sdk/webService --username --password

Connection Successful

Server Time : 2013-07-19T22:11:31.681181Z

$ perl -v

This is perl 5, version 14, subversion 2 (v5.14.2) built for x86_64-linux-gnu-thread-multi

$ perl -MLWP -e 'print "LWP Version: $LWP::VERSION\n"'

LWP Version: 6.04

$ perl -MCrypt::SSLeay -e 'print "Crypt::SSLeay Version: $Crypt::SSLeay::VERSION\n"'

Crypt::SSLeay Version: 0.58

Ubuntu 13.04 (Doesn't work)

$perl /usr/lib/vmware-vcli/apps/general/connect.pl --url https:///sdk/webService --username --password

Server version unavailable at 'https:///sdk/vimService.wsdl' at /usr/share/perl/5.14/VMware/VICommon.pm line 548.

$ perl -v

This is perl 5, version 14, subversion 2 (v5.14.2) built for x86_64-linux-gnu-thread-multi

$ perl -MLWP -e 'print "LWP Version: $LWP::VERSION\n"'

LWP Version: 6.04

$ perl -MCrypt::SSLeay -e 'print "Crypt::SSLeay Version: $Crypt::SSLeay::VERSION\n"'

Crypt::SSLeay Version: 0.64

Certificate error (same in both machines)

lwp-request https:///sdk/webService Can't connect to :443 (certificate verify failed)

LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 51.

UPDATE 1

Looks like the issue has nothing to do with the Ubuntu version but the new packages i get when i do 'apt-get upgrade', on the 12.10 box i didn't do that and it was working. However on 13.04 i ended up doing all the updates. Now since i get more than 80 updates when i did i still haven't narrowed down to the library which is messing it up. When i installed a new 13.04 image it works fine.

** Update 2 **

Looks like the base Ubuntu 12.10 or 13.04 work fine. If you get the latest updates then it stops working. So not sure yet which library is causing the problem.

HoldOffHunger
  • 18,769
  • 10
  • 104
  • 133
user2601110
  • 71
  • 1
  • 1
  • 3
  • related: [How to ignore 'Certificate Verify Failed' error in perl?](http://stackoverflow.com/questions/6795030/how-to-ignore-certificate-verify-failed-error-in-perl) – daxim Jul 20 '13 at 11:34
  • What makes you so sure that this is related to a failed certificate check? Usually, the Perl SSL libraries issue warnings when certificate checks fail, but you don't seem to be getting any of those. Can you use lwp-request to connect from both machines? – innaM Jul 20 '13 at 16:14
  • I get the same certificate failure in both machines: lwp-request https:///sdk/webService Can't connect to :443 (certificate verify failed) LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 51. – user2601110 Jul 22 '13 at 20:28
  • Note that Crypt::SSLeay isn't the preferred way of handling SSL in Perl anymore. There's a long conversation about this in the [bug tracker](https://rt.cpan.org/Ticket/Display.html?id=956630). – brian d foy Sep 25 '14 at 13:38

5 Answers5

5

I have had the very same problem - I solved it by typing "use Net::SSL;" before the requests.

Also tried to find out what library is causing the problem because it's definately an upgraded module that is causing it. Most sites were okay though, but one site's certificate wouldn't validate.

Gauntlet
  • 141
  • 3
  • 9
  • Worked well for me. Was moving scripts from RHEL (v5.16.3) to SLES (perl v5.26.1) and had the issue that self-signed certs would not be ignored. For some reason, CA signed worked anyway. However, this one solved the issue. – Stef May 04 '21 at 07:24
5

Rather than using use Net::SSL; soon in your code, you can achieve more predictable behavior with:

$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = 'Net::SSL';

And now PERL_LWP_SSL_VERIFY_HOSTNAME set to zero will work as expected. But changing the underlying implementation module should not be considered as solution, but a hack.

Michal Ingeli
  • 141
  • 2
  • 4
2

It also can depend on the version of Net::HTTPS, and on whether or not IO::Socket::SSL is installed. Net::HTTPS will prefer IO::Socket::SSL (which uses Net::SSLeay) over Net::SSL (which uses Crypt::SSL). More recent versions of Net::HTTPS have improved how it works with IO::Socket::SSL.

runrig
  • 6,486
  • 2
  • 27
  • 44
  • I am newbie to this, can you elaborate how i can check if the ones you mentioned are enabled. – user2601110 Jul 19 '13 at 23:28
  • Make an https request. Eval it if neccessary so it doesn't die. Then `print "$_: $INC{$_}\n" for sort keys %INC;` to see what libraries got loaded. – runrig Nov 01 '13 at 19:33
2

You can try to add Global ENV variable or set in via Apache config (if you're using Apache)

SetEnv PERL_LWP_SSL_VERIFY_HOSTNAME 0

or

$ENV{'PERL_LWP_SSL_VERIFY_HOSTNAME'} = 0;
dimas
  • 379
  • 2
  • 5
-2

Setting the PERL_LWP_SSL_VERIFY_HOSTNAME env var to 0 will disable important security checks.

Upgrading the relevant modules to the latest version (as of November 2014) fixed the problem for me.

(In my case I updated to these distributions: Crypt-SSLeay-0.72, Net-HTTP-6.07, libwww-perl-6.08 LWP-Protocol-https-6.06.)

Tim Bunce
  • 1,082
  • 7
  • 14