1 2 Previous Next 15 Replies Latest reply on Jun 12, 2015 7:12 AM by gctdaTI

    SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!

    gman_84 Lurker
      Hi All I having trouble using the below command: using VMware-vSphere-Perl-SDK-5.1.0-780721.x86_64
      VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local


      Which gives me this :
      Server version unavailable at 'https://10.10.10.1:443/sdk/vimService.wsdl' at /usr/share/perl5/VMware/VICommon.pm line 545.

      So I run this which fixes the above error which leads me to the next: : export PERL_LWP_SSL_VERIFY_HOSTNAME=0

       

      Run this command again:

       

      VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
      And now get this error:
      *******************************************************************
      Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
      is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
      together with SSL_ca_file|SSL_ca_path for verification.
      If you really don't want to verify the certificate and keep the
      connection open to Man-In-The-Middle attacks please set
      SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
         at /usr/local/share/perl5/LWP/Protocol/http.pm line 31
        
         vim +31 /usr/local/share/perl5/LWP/Protocol/http.pm
        
             my $sock = $self->socket_class->new(PeerAddr => $host,
                                              PeerPort => $port,
                                              LocalAddr => $self->{ua}{local_address},
                                              Proto    => 'tcp',
                                              Timeout  => $timeout,
                                              KeepAlive => !!$conn_cache,
                                              SendTE    => 1,
                                              $self->_extra_sock_opts($host, $port),
                                             );
      Now the next part I am confused on:...
      These links below might provide the answer as I am a newbie to all the Perl fun...
      Anyone know?
      Thanks
        • 1. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
          petersek Lurker

          I have been experiencing the same exact issue as well.  Hoping somebody can provide some input.

          • 2. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
            stumpr Master

            The maintainers of IO::Socket::SSL added the additional check in a recent version (1.79 maybe?).

             

            The problem I believe is that the LWP::UserAgent doesn't even expose the configuraiton options for environment variables.  To make it more complicated, the VMware VICommon.pm has two seperate locations where UserAgent is created (Vim::query_server_version & SoapClient::new).  Both would have to be changed to effectively fix the issue.

             

            Just out of curiousity, what version of IO::Socket::SSL are you using?  Run the following to print out the version number.

             

            perl -M'IO::Socket::SSL' -e 'print "$IO::Socket::SSL::VERSION\n"'

             

             

            I haven't been able to try this since none of my environments are using one of the newest IO::Socket::SSL versions, but maybe try switching to Net::SSL as a work around?  Alternatively, perhaps drop down to an older version of IO::Socket::SSL.

             

            Try adding this to the end of your script, let me know if it works.  This _should_ switch to Net::SSL.  You may have to install Net::SSL. 

             

            BEGIN {

               $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";

               $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;

            }

            • 3. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
              stumpr Master

              I could only get that warning string if I explicity imported IO::Socket::SSL in my script.  If I imported Net::SSL just after, it worked.

               

              If the BEGIN { } block doesn't fix it as specified above, try import Net::SSL right after VMware::VIRuntime. 

               

               

              use VMware::VIRuntime;
              use Net::SSL;

               

               

              There's may be some preference (intended or not) for Net::SSL, or some other change in how LWP determine what SSL socket class to use.

               

              Let me know if either option works.  You may also need to install Net::SSL.

              1 person found this helpful
              • 4. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                gman_84 Lurker
                Hi stumpr,
                Thanks for your reply:
                I have downgraded to: I just downgraded to IO::Socket::SSL 1.77 as mentioned here: http://communities.vmware.com/thread/428081?tstart=0

                Through this in the shell: export PERL_LWP_SSL_VERIFY_HOSTNAME=0

                Tried the command again: VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
                It now lags for a while, then I get this awesome error

                 

                SOAP request error - possibly a protocol issue:
                Then it spits a tonne of XML on the server details etc...

                Did a : cpan > install Net::SSL : found out it was already installed an I am using Net::SSL (2.85).


                Added this to: 
                BEGIN {
                   $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";
                   $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
                }
                vim /usr/share/perl5/VMware/VICommon.pm
                No difference am I altering the right file, sorry MASSIVE perl newbie so I am going to need step by step instructions....

                 

                Thanks

                • 5. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                  gman_84 Lurker

                  Ok so then I searched these forums some more and found an answer to the LAG SOAP error and used someones solution to  this:

                   

                   

                  Start cpan shell: perl -MCPAN -e shell
                  In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz

                   

                  VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local

                   

                  virtual machine 'testhost.test.local' under host  reset successfully


                  It then worked

                   

                   

                  Seriouslly a freaken pain:

                   

                  * Downgrade to IO-Socket-SSL from 1.77

                  * Use these instructions next:

                   

                  Start cpan shell: perl -MCPAN -e shell
                  In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz
                  Let me know how you guys go I have a dream of having a Linux / Pacemaker cluster one day and need this for "Fencing"...

                  • 6. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                    stumpr Master

                    The IO::Socket::SSL update really shook things up and the modules that depend on it don't have the fall through options to modify the underlying ssl_opts built in.  It's a bit of a mess :/

                     

                    To be fair, it's not really a VMware SDK issue, but I do think some enhancements could be added to support it better.  It's a legitimate concern to stress the issue of blindly trusting certificates. 

                     

                    I suppose the proper solution would be to write a utility script to accept and build a certificate store that can be access with the CA ENV options that IO::Socket::SSL wants instead of SSL_verify_none.

                    1 person found this helpful
                    • 7. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                      degdoo Lurker

                      I have gotten the same problem and now, I found out the cause for my environment.

                       

                      1. https_proxy

                      My environment is befind a proxy, and "export https_proxy=..." seemed to be evil for vCLI.

                      If you are using proxy, try "unset https_proxy".

                       

                      2. Perl_module version

                      As mentioned in http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP/UserAgent.pm,

                      LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate matching the expected hostname.

                      in newer version than libwww-perl-5.837. libwww-perl-5.837 and earlier releases have no problem.

                       

                      So what I did is,

                       

                      remove ~/.cpan files and reinstall libwww-perl for my env.

                       

                      cpan> i /libwww-perl/

                      ...

                      Distribution    GAAS/libwww-perl-5.837.tar.gz
                      Distribution    GAAS/libwww-perl-6.01.tar.gz
                      Distribution    GAAS/libwww-perl-6.04.tar.gz
                      Author          LWWWP ("The libwww-perl mailing list" <libwww@perl.org>)
                      4 items found
                      cpan> install GAAS/libwww-perl-5.837.tar.gz
                      and now, my vCLI is working well.

                      Hope this help you.

                      • 8. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                        calba Lurker

                        Hi,

                         

                        It seems it was deprecated when LWP changed from 5.8x to 6.0. The culprit is LWP::UserAgent.

                         

                        You can bypass the issue by downloading the SSL certificate from the vCenter and setting HTTPS_CA_FILE=MyCertFile.

                         

                        Since there is -for now, I hope- what to disable the check enforcement on the LWP module, would it be possible to add the cert file as one of the standard parameters on the Perl SDK?

                         

                        Cheers

                        César

                        • 9. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                          Pumpkinh Lurker

                          export PERL_LWP_SSL_VERIFY_HOSTNAME=0

                          It's works.

                          • 10. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                            gerritl Lurker

                            Hi

                             

                            Thank you SO mych, degdoo, your post sorted me after many hours of trawling through the Net!

                             

                            I run Open SuSE 11.4 as a standalone server, trying to connect to my ESXi 5.0 server , and had endless trouble trying to run any vSphere SDK for Perl script ( like the connect.pl )

                             

                            I installed vSphere SDK for Perl on a standalone server, with the aim to run the HealthCheck script on it.

                             

                            I got these errors:

                             

                            Server version unavailable at 'https://X.X.X.X:443/sdk/vimService.wsdl' at /usr/lib/perl5/5.12.3/VMware/VICommon.pm line 545, <STDIN> line 2.

                             

                            I also set the environment variable:

                             

                            export PERL_LWP_SSL_VERIFY_HOSTNAME=0

                             

                            This resulted in the following error, plus a very long wait, and finally, another error:

                             

                            ------------------------------------------------------------------------------------------------------------------------------------------------

                             

                            *******************************************************************
                            Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
                            is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
                            together with SSL_ca_file|SSL_ca_path for verification.
                            If you really don't want to verify the certificate and keep the
                            connection open to Man-In-The-Middle attacks please set
                            SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
                            *******************************************************************
                              at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
                            *******************************************************************
                            Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
                            is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
                            together with SSL_ca_file|SSL_ca_path for verification.
                            If you really don't want to verify the certificate and keep the
                            connection open to Man-In-The-Middle attacks please set
                            SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
                            *******************************************************************
                              at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
                            *******************************************************************
                            Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
                            is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
                            together with SSL_ca_file|SSL_ca_path for verification.
                            If you really don't want to verify the certificate and keep the
                            connection open to Man-In-The-Middle attacks please set
                            SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
                            *******************************************************************
                              at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
                            Connection Successful
                            SOAP request error - possibly a protocol issue: <?xml version="1.0" encoding="UTF-8"?>
                            <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
                            <soapenv:Body>
                            <RetrievePropertiesResponse xmlns="urn:vim25"><returnval><obj type="ServiceInstance">ServiceInstance</obj><propSet><name>capability</name><val xsi:type="Capability"><provisioningSupported>false</provisioningSupported><multiHostSupported>false</multiHostSupported><userShellAccessSupported>true</userShellAccessSupported></val></propSet><propSet><name>content</name><val xsi:type="ServiceContent"><rootFolder type="Folder">ha-folder-root</rootFolder><propertyCollector type="PropertyCollector">ha-property-collector</propertyCollector><viewManager type="ViewManager">V

                            ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

                             

                            I followed the instructions posted by "degdoo", installing "libwww-perl" as instructed.

                             

                            This works 100% now, and I don't even have to set the environment variable as listed above!

                             

                            Thanks again, this was very useful, and saved me a lot of time.

                            • 11. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                              cawley Lurker

                              install GAAS/libwww-perl-5.837.tar.gz

                              Also, worked for me - Thanks

                              Chris

                              • 13. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                                user9876 Lurker

                                Hey! I also have the same problem, but unfortunately degdoo advise didn't help....

                                Does anyone knows how to solve this issue?

                                 

                                 

                                Thanks

                                • 14. Re: SSL_verify_mode of SSL_VERIFY_NONE for client  is depreciated!
                                  nitinaran Lurker

                                  Thanks a lot degdoo.

                                   

                                  I was having the same problem and your solution resolved the problem for me.

                                  1 2 Previous Next