根据您安装的SSL模块,有两种方法可以做到这一点。 LWP docs recommend installing Crypt::SSLeay。如果这就是你所做的,将HTTPS_CA_FILE
环境变量设置为指向你的ca-bundle.crt应该可以做到。 (Crypt::SSLeay docs提到这一点,但在细节上略显点点)。另外,根据您的设置,您可能需要设置HTTPS_CA_DIR
环境变量。
的地穴:: SSLeay的
例子:
use LWP::Simple qw(get);
$ENV{HTTPS_CA_FILE} = "/path/to/your/ca/file/ca-bundle";
$ENV{HTTPS_DEBUG} = 1;
print get("https://some-server-with-bad-certificate.com");
__END__
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:unknown CA
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv3 write client hello A
SSL_connect:SSLv3 read server hello A
SSL3 alert write:fatal:bad certificate
SSL_connect:error in SSLv3 read server certificate B
SSL_connect:before/connect initialization
SSL_connect:SSLv2 write client hello A
SSL_connect:error in SSLv2 read server hello B
注意,得到不die
,但它确实返回undef
。
或者,您可以使用IO::Socket::SSL
模块(也可从CPAN获得)。为了使这个验证您需要修改SSL上下文默认的服务器证书:
use IO::Socket::SSL qw(debug3);
use Net::SSLeay;
BEGIN {
IO::Socket::SSL::set_ctx_defaults(
verify_mode => Net::SSLeay->VERIFY_PEER(),
ca_file => "/path/to/ca-bundle.crt",
# ca_path => "/alternate/path/to/cert/authority/directory"
);
}
use LWP::Simple qw(get);
warn get("https:://some-server-with-bad-certificate.com");
这个版本也导致get()
返回民主基金,但打印警告STDERR
当你执行它(以及如果一堆调试导入调试*符号从IO ::插座:: SSL):
% perl ssl_test.pl
DEBUG: .../IO/Socket/SSL.pm:1387: new ctx 139403496
DEBUG: .../IO/Socket/SSL.pm:269: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:271: socket connected
DEBUG: .../IO/Socket/SSL.pm:284: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:327: Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:1135: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:333: fatal SSL error: SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:1422: free ctx 139403496 open=139403496
DEBUG: .../IO/Socket/SSL.pm:1425: OK free ctx 139403496
DEBUG: .../IO/Socket/SSL.pm:1135: IO::Socket::INET configuration failederror:00000000:lib(0):func(0):reason(0)
500 Can't connect to some-server-with-bad-certificate.com:443 (SSL connect attempt failed with unknown errorerror:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed)
不,接受的解决方案不会遇到这个问题。 (好吧,我自己写了。)LWP 6在默认情况下会将通用名与主机名进行比较,如果不匹配则会中止。 (你是对的,以前版本的LWP没有。) – cjm 2011-10-11 07:15:37
这是不正确的,我使用最新版本的LWP :: UserAgent(版本6.04)作为SOAP :: Lite(版本0.714)的后端。 LWP :: UserAgent的后端在这台机器上是IO :: Socket :: SSL。我发现如果没有上面的代码,CN既不会被检查,也不会验证证书链。使用ssl_opts()设置“verify_hostname”和“SSL_ca_path”不起作用。 – blumentopf 2013-02-04 16:45:29