Skip to content

Set verify_SSL=>1 by default for HTTP::Tiny in Plack::LWPish#677

Merged
miyagawa merged 1 commit intoplack:masterfrom
stigtsp:fix/http-tiny-verify-ssl
Aug 25, 2022
Merged

Set verify_SSL=>1 by default for HTTP::Tiny in Plack::LWPish#677
miyagawa merged 1 commit intoplack:masterfrom
stigtsp:fix/http-tiny-verify-ssl

Conversation

@stigtsp
Copy link
Copy Markdown
Contributor

@stigtsp stigtsp commented Aug 25, 2022

HTTP::Tiny doesn't verify TLS/SSL certificates by default. This PR sets that flag for the default user agent so HTTPS certificates are verified like LWP does.

Current (insecure) Plack::LWPish behaviour:

$ perl -Ilib -MPlack::LWPish -MHTTP::Request -E 'say Plack::LWPish->new->request(HTTP::Request->new("GET","https://self-signed.badssl.com"))->content'
<!DOCTYPE html>
[..]

Compared to LWP:

$ perl -MLWP::UserAgent -E 'say LWP::UserAgent->new->request(HTTP::Request->new("GET","https://self-signed.badssl.com"))->content'                                                                                                    
Can't connect to self-signed.badssl.com:443 (certificate verify failed)

With this fix applied, certificates are checked and the request fails:

$ perl -Ilib -MPlack::LWPish -MHTTP::Request -E 'say Plack::LWPish->new->request(HTTP::Request->new("GET","https://self-signed.badssl.com"))->content'
SSL connection failed for self-signed.badssl.com: SSL connect attempt failed error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

Discussions in Debian that motivated this:

HTTP::Tiny doesn't verify TLS/SSL certificates by default. This PR sets
that flag for the default user agent so HTTPS certificates are verified
like LWP does.
@stigtsp
Copy link
Copy Markdown
Contributor Author

stigtsp commented Aug 25, 2022

On second thoughts; Plack::LWPish doesn't seem to have any usage in other CPAN modules, so don't know how important this PR is in practice...

@miyagawa
Copy link
Copy Markdown
Member

Plack::LWPish doesn't seem to have any usage in other CPAN modules

Yeah, to be honest I forgot about the existence of this module and definitely have never used it myself :)

@miyagawa miyagawa merged commit 9a387b8 into plack:master Aug 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants