Apple broke LWP in a new and exciting way on 10.9.2.

Any ideas? It's not the same bug as last time.

    $ cmd='use LWP::UserAgent;
      print length(LWP::UserAgent->new->get
      ("https://www.facebook.com/media/set/?set=a.243839749129060.1073741851.158694774310225")
      ->decoded_content), "\n";'

    $ /usr/bin/perl -e "$cmd"
    158

    $ /opt/local/bin/perl -e "$cmd"
    20937

The error in the former case is this pack of lies:

    Can't connect to www.facebook.com:443 (Host is down)

    LWP::Protocol:: https::Socket: connect: Host is down at /Library/Perl/5.16/LWP/Protocol/http.pm line 51.
Tags: , , ,

10 Responses:

  1. Matt Sayler says:

    I'm guessing

    export PERL_LWP_SSL_VERIFY_HOSTNAME=0

    doesn't have anything to do with this, but on my 10.9.2 box I have to set this to get the command to work. (when I run the Perl w/o the length() wrapping it, I get a warning about SSL and CAs that directs me to this command. After setting it, everything works. I haven't done much CPAN on this box, so it's just the system packages as far as I know).

  2. If that is the case (and I think it is), then this might be helpful too: http://search.cpan.org/~gaas/LWP-Protocol-https-6.04/lib/LWP/Protocol/https.pm

    Install the Mozilla::CA module. This is a change of default (towards requiring certificate verification) that caught a lot of people unaware.

  3. Ingmar says:


    $ /usr/bin/perl -e 'use LWP::UserAgent; print LWP::UserAgent->new->get ("https://www.facebook.com/media/set/?set=a.243839749129060.1073741851.158694774310225") ->decoded_content'
    Can't verify SSL peers without knowing which Certificate Authorities to trust

    This problem can be fixed by either setting the PERL_LWP_SSL_CA_FILE
    envirionment variable or by installing the Mozilla::CA module.

    To disable verification of SSL peers set the PERL_LWP_SSL_VERIFY_HOSTNAME
    envirionment variable to 0. If you do this you can't be sure that you
    communicate with the expected peer.

    What was unclear about that?

    • Ingmar says:

      Apart from repeatedly spelling environment wrong, I mean.

    • jwz says:

      The error message I was getting is exactly what I pasted: it made no mention of Mozilla::CA or any of those variables.

      But some combination of installing Mozilla::CA and *re*installing LWP::Protocol::https seems to have fixed it.

      Ugh.

      • jwz says:

        Wait, no, that didn't fix it.

        The problem is now intermittent. WTF.

        • Ed says:

          The problem being intermittent is a special kind of hell. Have you tested this against a webserver with an SSL certificate that you know is good and valid and stable? I would hate for you to be spending your time debugging a fuckup on facebook's side of the fence.

      • Ingmar says:

        Odd. Mine is plain 10.9.2 (Perl 5.16.2) and I never touch CPAN (or Perl).

      • Nate says:

        In this case, it is now an improvement that they're verifying hostnames. SSL is pretty much useless without it. You just need a reasonable collection of certs and everything should work fine.

  4. anarcat says:

    I have similar problems with ikiwiki right now and, oh joy, Mozilla::CA is not in debian (and it seems it won't be).

    http://ikiwiki.info/bugs/openid_login_fails_wirth_Could_not_determine_ID_provider_from_URL/