Broken LWP in the wild

I have app which do some stuff via HTTP/HTTPS. Here it is, already posted about it on blogs.perl.org

There is simple logic:

1) Use http. If user wants https, use https but check that LWP version >= 6 AND LWP::UserAgent->is_protocol_supported("https")
2) Retry HTTP 500 server errors. There can be a lot (coming from server, it's normal)
3) Retry HTTP 500 errors with Client-Warning=Internal response (LWP could raise this in case of conenction problem and socket timeout) with warning "connection problem"

So now I got two reports at once that everything completely broken and HTTPS does not work.

After some investigation I found that:

LWP 6.00 and 6.01:

1) ship LWP::Protocol::https as part of LWP::UserAgent distr, not a separate dist.
2) Do not ship and depend on Mozilla::CA. Instead there is note in docs:

If hostname verification is requested, and neither SSL_ca_file nor SSL_ca_path is set, then SSL_ca_file is implied to be the one provided by Mozilla::CA. If the Mozilla::CA module isn't available SSL requests will fail. Either install this module, set up an alternative SSL_ca_file or disable hostname verification.

3) LWP::UserAgent->is_protocol_supported("https") always return TRUE, even if Mozilla::CA not installed.

4) Any attempt to do HTTPS request raise HTTP 500 Client-Warning=Internal response error like this:

500 Can't verify SSL peers without knowning which Certificate Authorities to trust
Content-Type: text/plain
Client-Date: Sat, 26 Jul 2014 16:53:44 GMT
Client-Warning: Internal response

Can't verify SSL peers without knowning which Certificate Authorities to trust

This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
envirionment variable or by installing the Mozilla::CA module.

To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
envirionment variable to 0.  If you do this you can't be sure that you
communicate with the expected peer.

thus this error detected by my script like internal error of LWP ( like there are timeouts in several places), so users did not get a proper message that HTTPS support is not installed.

Interesting that both reports come from users of OSX 10.9, I assume one of broken versions is shipped with it.

UPD: Another way how LWP could be broken on OSX 10.9: It ships LWP::Protocol::https 6.04 but does not ship Mozilla::CA while it is a mandatroy dependency: report one report two


3 Comments

LWP 6.04 requires Mozilla::CA version 20110101.
However an obsolete version of Mozilla::CA may be a security issue (depending on the web sites targeted). It should at least recommend the latest version of Mozilla::CA at the time of release.

But anyway, Mozilla::CA itself is not reliable: it is based on a Mozilla file that is not updated anymore because the source of the NSS library moved from CVS to Mercurial a few years ago, while Mozilla::CA build script still uses the old file.

So don't worry too much, your SSL verification is broken anyway.

Leave a comment

About vsespb

user-pic I blog about Perl.