This question about Configuration, Not sure...: Answered

INCLUDE of https URL fails with 'certificate verify failed'

What i'm trying to do is include a URL over https (please no discussion about the concerns regarding inclusion of URLs). The actual result that can be seen on the page is something like:

Can't connect to mywiki.host.de:4502 (certificate verify failed)

Sure, i am the CA. I also tried with a self-signed certificate without CA. Does not help. In a different environment on a RedHat -5 with perl 5.10 or 5.13 it works without problem. On mywiki.host.de with Fedora 20 and perl 5.18 it does not.

openssl s_client -connect mywiki.host.de:4502 -CAfile /my-ca-cert
brings in the end: Verify return code: 0 (ok)

So the SSL material should be ok.

According to the perl LWP documentation i tried to set a lot of environment variables for the apache, that hosts the Foswiki e.g. HTTPS_CA_FILE or this PERL_LWP_SSL_VERIFY_HOSTNAMES . Nothing helps. Looking at the access timestamps of the file containing the root certificate shows, that it is not even read at all. This leads me to the question, whether the proper perl code to read the URL contents is invoked at all. Could it be, this scenario suffers from this change in perl 5.14 explained e.g. here: http://blogs.perl.org/users/brian_d_foy/2011/07/now-you-need-lwpprotocolhttps.html ?

Frankly i have no idea where to continue to search any more.

Any hint how to solve or just debug this thing is highly welcome.

Thank you !

-- AlbertFluegel - 18 Dec 2014

I think that this has been fixed in the upcoming Foswiki 1.2. The SSL handling in Foswiki::Net has been rewritten for better support of SSL email and the HTTPS support appears to have been swept up with that. In reviewing the differences between 1.1.9 and 1.2.0, unfortunately the changes appear to be too extensive to be able to use the module on a 1.1.x system.

The actual code is in lib/Foswiki/Net, in sub _GETUsingLWP { so any changes to disable cert checking would have to be done there.

-- GeorgeClark - 20 Dec 2014

You might try adding the following. Please let us know if it worked:

diff --git a/lib/Foswiki/Net.pm b/lib/Foswiki/Net.pm
index 8658003..b712fc9 100644
--- a/lib/Foswiki/Net.pm
+++ b/lib/Foswiki/Net.pm
@@ -256,6 +256,7 @@ sub _GETUsingLWP {
           . " libwww-perl/$LWP::VERSION" );
     require Foswiki::Net::UserCredAgent;
     my $ua = new Foswiki::Net::UserCredAgent( $user, $pass );
+    $ua->ssl_opts( verify_hostnames => 0 ); 
     my $response = $ua->request($request);
     return $response;
 }

-- GeorgeClark - 20 Dec 2014
 

QuestionForm edit

Subject Configuration, Not sure...
Extension
Version Foswiki 1.1.9
Status Answered
Related Topics
Topic revision: r2 - 20 Dec 2014, GeorgeClark
The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy