Can I force LWP::UserAgent to accept an expired SSL certificate?

Question

I would like to know whether it is possible to force LWP::UserAgent to accept an expired SSL certificate for a single, well-known server. The issue is slightly complicated by the Squid proxy in between.

I went as far as to set up a debugging environment like:

use warnings;
use strict;
use Carp;
use LWP::UserAgent;
use LWP::Debug qw(+);
use HTTP::Cookies;

my $proxy = 'http://proxy.example.net:8118';
my $cookie_jar = HTTP::Cookies->new( file => 'cookies.tmp' );
my $agent = LWP::UserAgent->new;
$agent->proxy( [ 'http' ], $proxy );
$agent->cookie_jar( $cookie_jar );

$ENV{HTTPS_PROXY} = $proxy;
$ENV{HTTPS_DEBUG} = 1;
$ENV{HTTPS_VERSION} = 3;
$ENV{HTTPS_CA_DIR}    = '/etc/ssl/certs';
$ENV{HTTPS_CA_FILE}    = '/etc/ssl/certs/ca-certificates.crt';

$agent->get( 'https://www.example.com/'

exit;

Fortunately the issue was eventually fixed on the remote server before I was able to come up with my own solution, but I would like to be able to optionally circumvent the problem should it arise again (the underlying service had been disrupted for several hours before I was called into action).

I would favor a solution at the LWP::UserAgent level over one based on the underlying Crypt::SSLeay or openSSL implementations, if such a solution exists, since I prefer not to relax security for other unrelated applications. Of course I am still looking for such a solution myself, in my copious free time.

Answer 1

I believe that if you omit HTTPS_CA_DIR and HTTPS_CA_FILE that ssleay will only do the SSL encryption but not do a certificate check. Just make sure that there are not any defaults in the environment already, or try setting them to blank before you make your request.