[LON-CAPA-cvs] cvs: loncom / lonssl.pm

[raeburn]

raeburn		Sun Nov  8 03:15:13 2015 EDT

  Modified files:              
    /loncom	lonssl.pm 
  Log:
  - Eliminate warnings in lonc_errors where SSL is in use for internal
    LON-CAPA communication and distro has IO::Socket::SSL rev. 1.79 or 
    newer.
  
  
Index: loncom/lonssl.pm
diff -u loncom/lonssl.pm:1.13 loncom/lonssl.pm:1.14
--- loncom/lonssl.pm:1.13	Sat Nov  7 18:41:11 2015
+++ loncom/lonssl.pm	Sun Nov  8 03:15:13 2015
@@ -1,5 +1,5 @@
 #
-# $Id: lonssl.pm,v 1.13 2015/11/07 18:41:11 raeburn Exp $
+# $Id: lonssl.pm,v 1.14 2015/11/08 03:15:13 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -37,6 +37,7 @@
 
 use IO::Socket::INET;
 use IO::Socket::SSL;
+use Net::SSLeay;
 
 use Fcntl;
 use POSIX;
@@ -141,12 +142,21 @@
     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
     Debug("Client promotion got dup = $dupfno\n");
 
+    # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify 
+    # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
+    # verification is not to be used, and SSL_verify_mode is not set.
+    # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
+    # prevents connections to lond.
+    # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to
+    # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01
+    # used by CentOS/RHEL/Scientific Linux 5).
     
     my $client = IO::Socket::SSL->new_from_fd($dupfno,
 					      SSL_use_cert => 1,
 					      SSL_key_file  => $KeyFile,
 					      SSL_cert_file => $MyCert,
-					      SSL_ca_file   => $CACert);
+					      SSL_ca_file   => $CACert,
+					      SSL_verify_mode => Net::SSLeay::VERIFY_NONE());
     
     if(!$client) {
 	$lasterror = IO::Socket::SSL::errstr();