Perl LWP GET or POST for SSL SNI URL

Question

Perl LWP GET or POST for SSL SNI URL

I have a system that sends data to clients using Perl LWP. They can choose their URL, as well as POST or GET.

Recently, a new client complained that the service was down and they suspect their endpoint is using SNI SSL.

In the logs, all I see is the error message "(certificate verification failed) (500 read timeouts)."

Is there any way to find out if this issue is due to their SNI SSL or something else? I think I can solve the problem by disabling verify_hostname, but this is the last resort, I would prefer it to work correctly.

What other steps should I take?

+2

perl ssl lwp

Ben holness Aug 27 '14 at 17:18

source share

1 answer

Steffen ullrich · Accepted Answer · 2014-08-27T19:02:00+0000

If SNI can be a problem, it depends on the module used and their versions:

LWP uses IO :: Socket :: SSL since version 6.0 as the base SSL library. Before that, he used Crypt :: SSLeay, which does not support SNI, and you can still use Crypt :: SSLeay. But, although this can lead to the server returning incorrect data, it should in most cases not lead to verification of problems, because Crypt :: SSLeay does not check whether the name in the certificate matches the requested host name (and thus, in mid-attack).
IO :: Socket :: SSL has been running client-side SNI since version 1.56 (02/2012), but you need at least version 1.0 of OpenSSL. Support for older versions is disabled due to errors in OpenSSL when interacting with some servers.

You can try to debug the problem with setting $IO::Socket::SSL::DEBUG=4 when running the code.

Perl LWP GET or POST for SSL SNI URL

More articles: