LWP :: UserAgent坚持验证主机名 [英] LWP::UserAgent Insists on verifying hostname

问题描述

以下脚本的工作原理是在运行libwww-perl-5.836的主机上返回全面的标头，但不会在使用libwww-perl-6.30.0的主机上返回标头.在这种情况下，脚本将显示以下内容:

The following script works returns a comprehensive headers on a host running libwww-perl-5.836 but not on the host using libwww-perl-6.30.0. In that case, the script displays the following:

    500 Can't connect to backend.mutegroup.org:443 (certificate verify failed)
    Content-Type: text/plain
    Client-Date: Mon, 28 Jul 2014 21:09:28 GMT
    Client-Warning: Internal response

    Can't connect to backend.mutegroup.org:443 (certificate verify failed)

    LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/lib64/perl5/vendor_perl/5.16.3/LWP/Protocol/http.pm line 51.

这是脚本:

#!/usr/bin/perl

use strict;
use warnings;

use LWP::UserAgent;
use HTTP::Request::Common;

my $ua      = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0, } );
my $url     = 'https://backend.mutegroup.org/api/getLastId';

my $request = POST $url;
print $ua->request($request)->as_string

默认情况下，libwww-perl-5.837及更高版本的主机名不进行验证.这就解释了为什么它可以在旧主机上运行.但是，我明确禁用了检查，它仍然坚持要进行检查.

Host names are not verified by default for libwww-perl-5.837 and prior. That explains why it works on the old host. However, I am explicitly disabling checks and it is still insisting on doing them.

这是在Gentoo系统上.

This is on a Gentoo system.

推荐答案

您已关闭验证主机名；您尚未关闭验证证书.

You have turned off verifying the hostname; you have not turned off verifying the certificate.

verify_hostname控制是否LWP用于安全协议方案，以确保它连接到具有有效证书与预期主机名相匹配的服务器"(我强调).将该值设置为0可使您连接到具有有效证书但未针对要访问的主机/主机名颁发的服务器.

verify_hostname controls whether "LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate matching the expected hostname" (my emphasis). Setting that to 0 allows you to connect to a server that has a valid certificate but not issued for the host / hostname that you are trying to reach.

要关闭检查证书是否有效(由受信任的CA颁发)，您需要:

To turn off checking that the certificate is valid (issued by a trusted CA), you want:

use IO::Socket::SSL;

my $ua = LWP::UserAgent->new(
   ssl_opts => {
      verify_hostname => 0,
      SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE,
   },
);

请注意，如果您正在传输任何敏感信息或希望信任返回的数据，则关闭这两个选项都不是一个好主意.禁用这两个功能后，您将失去SSL的优势，并且容易受到各种中间人攻击.

Note that turning off either of these options is a bad idea if you are transmitting any sensitive information or expect to trust the data returned. With either of these turned off, you are losing the benefits of SSL and are vulnerable to various man-in-the-middle attacks.

这篇关于LWP :: UserAgent坚持验证主机名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！