0
my $ua = LWP::UserAgent->new();
my $res = $ua->get("https://url");
print $res->content;

Resulted in a response that the certificate was not valid (and if I disabled hostname verification the server would say I needed encryption instead), until I started using Net::SSL :

$ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = 'Net::SSL';

Before doing my request, ofc.

Module Versions at the moment:

Crypt::SSLeay 0.58
IO::Socket::SSL 1.955
Net::SSLeay 1.55
LWP 6.05
LWP::Protocol::https 6.04

Also tried the latest Crypt::SSLeay but that still failed (tried this in a test environment).

Is this just a limitation in the Crypt::SSLeay library, between the client and the server - that they maybe can't agree upon an encryption method?

I also used OpenSSL to manually connect to the server in question, which worked without problems, no certificate failures or so.

My problem is sort of solved already, but not in a way that feels very graceful, but I am curious as to where the error lies, as I spent ages trying to find a solution, and the root of the issue. I send SSL requests to hundreds of other servers without this problem, but this one server would just respond with a message saying I need to encrypt my request.

Is LWP together with Net:SSL more supported?

How would you try and trace the root of the issue?

EDIT: An interesting thing is this didn't happen in older versions of the modules (it worked recently). I strongly suspect that it was LWP or something that got updated. Weird how the behaviour can change like this in an update.

Gauntlet
  • 141
  • 3
  • 9
  • Version of Net::HTTP? Updating this library has broken and fixed a lot of installations depending on what version it is. – runrig Nov 01 '13 at 19:31
  • And are you referring to the server you run your script on, or the server you request the URL from? – runrig Nov 01 '13 at 19:38
  • Net::HTTP 6.06, the versions I list above are on the server where I send the request from. It used to work to the very same server, but some module updated a dependency (I think) and then it stopped working. – Gauntlet Nov 04 '13 at 09:02
  • Noticed another server got the same version (Net::HTTP 6.06), and requests always worked from that server, so it's some other module. – Gauntlet Nov 04 '13 at 12:11

2 Answers2

1

If it says that the certificate is not valid it probably cannot verify it because it is self-signed, the CA not know or similar issues. If I understand you right it fails only on this specific server, so there might be something wrong with its certificate. Please check, if you get an error message with a browser too. More help could probably be provided if I knew the exact url and had access to it.

As for Net::SSL vs. IO::Socket::SSL: recent LWP versions use by default IO::Socket::SSL (which is based on Net::SSLeay) instead of the older Net::SSL/Crypt::SSLeay, because IO::Socket::SSL has more features, more correct certificate verification and is in active development.

Steffen (current maintainer/developer of IO::Socket::SSL)

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • There were no trouble for browsers to access the page and validate the certificate, I tried Chrome, FF and IE. Also - it is not self-signed. The CA is known too (using `dig` to check the certificate manually with the standard known CA:s on the system gave no errors). – Gauntlet Dec 10 '13 at 16:15
  • Sent an email with the URL to you, as I don't want to disclose it here. If you find out what may be the cause, please share at stackexchange so that I and others can learn. – Gauntlet Dec 11 '13 at 09:03
0

Some servers do not support TLSv1.2. LWP by default will connect to some servers but not to those requiring a lower TLS version. I had a very generic 500 error over https with LWP 6.0x and setting LWP::UserAgent to SSL_version => 'TLSv1' did not work for me. Try forcing LWP to only use IO::Socket::SSL and force the TLS version for additional testing.

LWP::UserAgent Can't Post with TLS1.1

Community
  • 1
  • 1
chrisrth
  • 1,182
  • 3
  • 15
  • 36