Broken LWP in the wild
I have app which do some stuff via HTTP/HTTPS. Here it is, already posted about it on blogs.perl.org
There is simple logic:
1) Use http. If user wants https, use https but check that LWP version >= 6 AND LWP::UserAgent->is_protocol_supported("https")
2) Retry HTTP 500 server errors. There can be a lot (coming from server, it's normal)
3) Retry HTTP 500 errors with Client-Warning=Internal response (LWP could raise this in case of conenction problem and socket timeout) with warning "connection problem"
So now I got two reports at once that everything completely broken and HTTPS does not work.
After some investigation I found that:
LWP 6.00 and 6.01:
1) ship LWP::Protocol::https as part of LWP::UserAgent distr, not a separate dist.
2) Do not ship and depend on Mozilla::CA. Instead there is note in docs:
If hostname verification is requested, and neither SSL_ca_file nor SSL_ca_path is set, then SSL_ca_file is implied to be the one provided by Mozilla::CA. If the Mozilla::CA module isn't available SSL requests will fail. Either install this module, set up an alternative SSL_ca_file or disable hostname verification.
3) LWP::UserAgent->is_protocol_supported("https") always return TRUE, even if Mozilla::CA not installed.
4) Any attempt to do HTTPS request raise HTTP 500 Client-Warning=Internal response error like this:
500 Can't verify SSL peers without knowning which Certificate Authorities to trust Content-Type: text/plain Client-Date: Sat, 26 Jul 2014 16:53:44 GMT Client-Warning: Internal response Can't verify SSL peers without knowning which Certificate Authorities to trust This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE envirionment variable or by installing the Mozilla::CA module. To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME envirionment variable to 0. If you do this you can't be sure that you communicate with the expected peer.
thus this error detected by my script like internal error of LWP ( like there are timeouts in several places), so users did not get a proper message that HTTPS support is not installed.
Interesting that both reports come from users of OSX 10.9, I assume one of broken versions is shipped with it.