How to enable SSL verification in Perl LWP::UserAgent?

Enabling SSL Verification in Perl LWP::UserAgent Without Mozilla::CA

When making HTTPS requests in Perl using LWP::UserAgent, it’s important to verify SSL certificates to ensure secure communication. The typical approach uses Mozilla::CA to provide a CA (Certificate Authority) bundle, but if Mozilla::CA is not installed or unavailable, you can instead rely on your system’s default SSL settings by enabling verification without explicitly specifying a CA file.

This example shows how to enable SSL verification by passing verify_hostname => 1 alone to LWP::UserAgent’s ssl_opts. This tells the underlying IO::Socket::SSL to verify the hostname and certificate using the system defaults. While specifying a CA file is more explicit and portable, this works well in environments with properly configured system CA bundles.

Key Points

• Don’t use Mozilla::CA; if it’s not installed. This avoids compilation errors.
• verify_hostname => 1 enables hostname checking and basic SSL verification.
• System CA certificates (e.g., on Linux or macOS) will be used implicitly.
• LWP::UserAgent recognizes the ssl_opts parameter with recent versions of IO::Socket::SSL and LWP.
• This example prints the fetched content length or an error message.

Runnable Perl Example Without Mozilla::CA

use strict;
use warnings;
use LWP::UserAgent;

# Create an LWP::UserAgent with SSL verification enabled
my $ua = LWP::UserAgent->new(
    ssl_opts => {
        verify_hostname => 1,
    },
);

my $url = 'https://www.perl.org/';

my $response = $ua->get($url);

if ($response->is_success) {
    print "Fetched ", length($response->decoded_content), " bytes successfully.\n";
} else {
    warn "Failed to fetch URL: ", $response->status_line, "\n";
}

Additional Notes and Common Gotchas

• System CA bundles: This approach relies on the OS’s SSL certificate store. If certificates are missing or outdated, verification may fail.
• Explicit CA file: If you need guaranteed portability or want a fixed CA bundle, installing Mozilla::CA or specifying SSL_ca_file explicitly is better.
• Perl module versions: Ensure IO::Socket::SSL is at least 1.94 for reliable verification defaults.
• TMTOWTDI: Perl lets you configure SSL verification many ways; this is the minimal working setup without extra modules.
• Fallback behavior: Without verify_hostname, LWP and IO::Socket::SSL may accept invalid certificates silently - a security risk.

Summary

If Mozilla::CA is not available, you can still enable SSL verification in LWP::UserAgent by setting verify_hostname => 1 in ssl_opts. This uses system CA bundles for verification and avoids dependency errors, producing secure HTTPS requests with minimal configuration.