Can I force LWP::UserAgent to accept an expired SSL certificate?

fB. picture fB. · Dec 3, 2008 · Viewed 9.7k times · Source

I would like to know whether it is possible to force LWP::UserAgent to accept an expired SSL certificate for a single, well-known server. The issue is slightly complicated by the Squid proxy in between.

I went as far as to set up a debugging environment like:

use warnings;
use strict;
use Carp;
use LWP::UserAgent;
use LWP::Debug qw(+);
use HTTP::Cookies;

my $proxy = 'http://proxy.example.net:8118';
my $cookie_jar = HTTP::Cookies->new( file => 'cookies.tmp' );
my $agent = LWP::UserAgent->new;
$agent->proxy( [ 'http' ], $proxy );
$agent->cookie_jar( $cookie_jar );

$ENV{HTTPS_PROXY} = $proxy;
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_VERSION} = 3;
$ENV{HTTPS_CA_DIR}    = '/etc/ssl/certs';
$ENV{HTTPS_CA_FILE}    = '/etc/ssl/certs/ca-certificates.crt';

$agent->get( 'https://www.example.com/');

exit;

Fortunately the issue was eventually fixed on the remote server before I was able to come up with my own solution, but I would like to be able to optionally circumvent the problem should it arise again (the underlying service had been disrupted for several hours before I was called into action).

I would favor a solution at the LWP::UserAgent level over one based on the underlying Crypt::SSLeay or openSSL implementations, if such a solution exists, since I prefer not to relax security for other unrelated applications. Of course I am still looking for such a solution myself, in my copious free time.

Answer

joshperry picture joshperry · Dec 3, 2008

Updated to address comment

To bypass all certificate checks you can set the agent up to not verify the certificate.

$agent->ssl_opts(verify_hostname => 0);

The agent will also pass settings down to the SSL socket implementation being used. For example, withIO::Socket::SSL you can set SSL_verify_mode to 0x00.

$agent->ssl_opts(SSL_verify_mode => 0x00);