I would like to know whether it is possible to force LWP::UserAgent to accept an expired SSL certificate for a single, well-known server. The issue is slightly complicated by the Squid proxy in between.
I went as far as to set up a debugging environment like:
use warnings;
use strict;
use Carp;
use LWP::UserAgent;
use LWP::Debug qw(+);
use HTTP::Cookies;
my $proxy = 'http://proxy.example.net:8118';
my $cookie_jar = HTTP::Cookies->new( file => 'cookies.tmp' );
my $agent = LWP::UserAgent->new;
$agent->proxy( [ 'http' ], $proxy );
$agent->cookie_jar( $cookie_jar );
$ENV{HTTPS_PROXY} = $proxy;
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_VERSION} = 3;
$ENV{HTTPS_CA_DIR} = '/etc/ssl/certs';
$ENV{HTTPS_CA_FILE} = '/etc/ssl/certs/ca-certificates.crt';
$agent->get( 'https://www.example.com/');
exit;
Fortunately the issue was eventually fixed on the remote server before I was able to come up with my own solution, but I would like to be able to optionally circumvent the problem should it arise again (the underlying service had been disrupted for several hours before I was called into action).
I would favor a solution at the LWP::UserAgent level over one based on the underlying Crypt::SSLeay or openSSL implementations, if such a solution exists, since I prefer not to relax security for other unrelated applications. Of course I am still looking for such a solution myself, in my copious free time.
When using an expired certificate, you risk your encryption and mutual authentication. As a result, both your website and users are susceptible to attacks and viruses. For example, a hacker can take advantage of a website with an expired SSL certificate and create a fake website identical to it.
When TLS/SSL certificate expires, your website shows warning messages to the users, like 'your connection is not private' or 'your communication is not secure'. Such alarming notifications drive users away from your website, impacting your website traffic, brand value, and sales.
Updated to address comment
To bypass all certificate checks you can set the agent up to not verify the certificate.
$agent->ssl_opts(verify_hostname => 0);
The agent will also pass settings down to the SSL socket implementation being used. For example, withIO::Socket::SSL
you can set SSL_verify_mode
to 0x00
.
$agent->ssl_opts(SSL_verify_mode => 0x00);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With