mojolicious SSL verify warning

Jonathan Larmour jifl at jifvik.org
Tue Apr 30 10:04:18 PDT 2019


Hi,

I recently did a somewhat-overdue system update on my CentOS 7 server,
which included an update to perl-Mojolicious.

I now get these annoying warnings:
---------------
*******************************************************************
 Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
 is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
 possibly with SSL_ca_file|SSL_ca_path for verification.
 If you really don't want to verify the certificate and keep the
 connection open to Man-In-The-Middle attacks please set
 SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at /usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm line 37.
-----------------

Everything works okay, the warning is just an annoyance, but I wanted rid
of it.

I see from debug output, that verify mode is on, and so MOJO_CA_FILE is
set in get_links_schedule_mojo(). So I've changed it to:


 if ( $verify_mode ) {
   if ( -f $ca_file ) {
      $ENV{MOJO_CA_FILE} = $ca_file;
      IO::Socket::SSL::set_defaults(SSL_verify_mode =>
IO::Socket::SSL::SSL_VERIFY_PEER);
   } else {
      main::logger "WARNING: LWP CA file not found: $ca_file\n" if
$opt->{verbose};
   }
 } else {
   $ENV{MOJO_INSECURE} = 1;
   IO::Socket::SSL::set_defaults(SSL_verify_mode =>
IO::Socket::SSL::SSL_VERIFY_NONE);
 }

(my mailer will probably mess the whitespace here sorry).

I'm not definite the SSL_VERIFY_NONE line is also required since my system
doesn't use that code path, but it seems like a belts-and-braces approach
to set it.

OOI, my IO::Socket::SSL version is derived from 1.94 which is relevant
when you consider:
https://metacpan.org/changes/distribution/IO-Socket-SSL#L689 but yes that
is still the latest for CentOS 7.

Hopefully this is correct, but if this could be updated similarly (or
better :-)) in get_iplayer master, then that would be great, thanks.

Jifl
-- 
--["No sense being pessimistic, it wouldn't work anyway"]-- Opinions==mine



More information about the get_iplayer mailing list