问题
I have a system that sends data to customers using perl LWP. They can choose their URL and whether to POST or GET.
A new customer recently complained that the service doesn't work and they suspect it's because their endpoint uses SNI SSL.
Looking in the logs, all I see is the error message "(certificate verify failed) (500 read timeout)".
Is there any way to tell if this issue is because of their SNI SSL, or something different? I think I can solve the problem by turning off verify_hostname, but this is a last resort, I would rather have it working properly.
What other steps should I take?
回答1:
If SNI might be a problem depends on the module you use and their versions:
- LWP uses IO::Socket::SSL since version 6.0 as the backend SSL library. Before that it used Crypt::SSLeay which does not support SNI and you can still enforce use of Crypt::SSLeay. But, while this might cause the server to return the wrong data it should in most cases not lead to verify problems, because Crypt::SSLeay does not verify if the name in the certificate matches the requested hostname (and thus does not detect man-in-the-middle attacks).
- IO::Socket::SSL does SNI on the client side since version 1.56 (02/2012), but you need at least version 1.0 of OpenSSL. Support for older versions is disabled because of bugs in OpenSSL when interacting with some servers.
You can try to debug the issue with setting $IO::Socket::SSL::DEBUG=4 when running the code.
来源:https://stackoverflow.com/questions/25533285/perl-lwp-get-or-post-to-an-sni-ssl-url