VMware {code} Community
gman_84
Contributor
Contributor

SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

Hi All I having trouble using the below command: using VMware-vSphere-Perl-SDK-5.1.0-780721.x86_64
VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local


Which gives me this :
Server version unavailable at 'https://10.10.10.1:443/sdk/vimService.wsdl' at /usr/share/perl5/VMware/VICommon.pm line 545.

So I run this which fixes the above error which leads me to the next: : export PERL_LWP_SSL_VERIFY_HOSTNAME=0

Run this command again:

VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
And now get this error:
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
   at /usr/local/share/perl5/LWP/Protocol/http.pm line 31
  
   vim +31 /usr/local/share/perl5/LWP/Protocol/http.pm
  
       my $sock = $self->socket_class->new(PeerAddr => $host,
                                        PeerPort => $port,
                                        LocalAddr => $self->{ua}{local_address},
                                        Proto    => 'tcp',
                                        Timeout  => $timeout,
                                        KeepAlive => !!$conn_cache,
                                        SendTE    => 1,
                                        $self->_extra_sock_opts($host, $port),
                                       );
Now the next part I am confused on:...
These links below might provide the answer as I am a newbie to all the Perl fun...
Anyone know?
Thanks
15 Replies
petersek
Contributor
Contributor

I have been experiencing the same exact issue as well.  Hoping somebody can provide some input.

Reply
0 Kudos
stumpr
Virtuoso
Virtuoso

The maintainers of IO::Socket::SSL added the additional check in a recent version (1.79 maybe?).

The problem I believe is that the LWP::UserAgent doesn't even expose the configuraiton options for environment variables.  To make it more complicated, the VMware VICommon.pm has two seperate locations where UserAgent is created (Vim::query_server_version & SoapClient::new).  Both would have to be changed to effectively fix the issue.

Just out of curiousity, what version of IO::Socket::SSL are you using?  Run the following to print out the version number.

perl -M'IO::Socket::SSL' -e 'print "$IO::Socket::SSL::VERSION\n"'

I haven't been able to try this since none of my environments are using one of the newest IO::Socket::SSL versions, but maybe try switching to Net::SSL as a work around?  Alternatively, perhaps drop down to an older version of IO::Socket::SSL.

Try adding this to the end of your script, let me know if it works.  This _should_ switch to Net::SSL.  You may have to install Net::SSL. 

BEGIN {

   $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";

   $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;

}

Reuben Stump | http://www.virtuin.com | @ReubenStump
Reply
0 Kudos
stumpr
Virtuoso
Virtuoso

I could only get that warning string if I explicity imported IO::Socket::SSL in my script.  If I imported Net::SSL just after, it worked.

If the BEGIN { } block doesn't fix it as specified above, try import Net::SSL right after VMware::VIRuntime. 

use VMware::VIRuntime;
use Net::SSL;

There's may be some preference (intended or not) for Net::SSL, or some other change in how LWP determine what SSL socket class to use.

Let me know if either option works.  You may also need to install Net::SSL.

Reuben Stump | http://www.virtuin.com | @ReubenStump
gman_84
Contributor
Contributor

Hi stumpr,
Thanks for your reply:
I have downgraded to: I just downgraded to IO::Socket::SSL 1.77 as mentioned here: http://communities.vmware.com/thread/428081?tstart=0

Through this in the shell: export PERL_LWP_SSL_VERIFY_HOSTNAME=0

Tried the command again: VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
It now lags for a while, then I get this awesome error Smiley Happy

SOAP request error - possibly a protocol issue:
Then it spits a tonne of XML on the server details etc...

Did a : cpan > install Net::SSL : found out it was already installed an I am using Net::SSL (2.85).


Added this to: 
BEGIN {
   $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";
   $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
}
vim /usr/share/perl5/VMware/VICommon.pm
No difference am I altering the right file, sorry MASSIVE perl newbie so I am going to need step by step instructions....

Thanks

Reply
0 Kudos
gman_84
Contributor
Contributor

Ok so then I searched these forums some more and found an answer to the LAG SOAP error and used someones solution to  this:

Start cpan shell: perl -MCPAN -e shell
In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz

VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local

virtual machine 'testhost.test.local' under host  reset successfully


It then worked Smiley Happy

Seriouslly a freaken pain:

* Downgrade to IO-Socket-SSL from 1.77

* Use these instructions next:

Start cpan shell: perl -MCPAN -e shell
In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz
Let me know how you guys go I have a dream of having a Linux / Pacemaker cluster one day and need this for "Fencing"...

Reply
0 Kudos
stumpr
Virtuoso
Virtuoso

The IO::Socket::SSL update really shook things up and the modules that depend on it don't have the fall through options to modify the underlying ssl_opts built in.  It's a bit of a mess 😕

To be fair, it's not really a VMware SDK issue, but I do think some enhancements could be added to support it better.  It's a legitimate concern to stress the issue of blindly trusting certificates. 

I suppose the proper solution would be to write a utility script to accept and build a certificate store that can be access with the CA ENV options that IO::Socket::SSL wants instead of SSL_verify_none.

Reuben Stump | http://www.virtuin.com | @ReubenStump
degdoo
Contributor
Contributor

I have gotten the same problem and now, I found out the cause for my environment.

1. https_proxy

My environment is befind a proxy, and "export https_proxy=..." seemed to be evil for vCLI.

If you are using proxy, try "unset https_proxy".

2. Perl_module version

As mentioned in http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP/UserAgent.pm,

LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate matching the expected hostname.

in newer version than libwww-perl-5.837. libwww-perl-5.837 and earlier releases have no problem.

So what I did is,

remove ~/.cpan files and reinstall libwww-perl for my env.

cpan> i /libwww-perl/

...

Distribution    GAAS/libwww-perl-5.837.tar.gz
Distribution    GAAS/libwww-perl-6.01.tar.gz
Distribution    GAAS/libwww-perl-6.04.tar.gz
Author          LWWWP ("The libwww-perl mailing list" <libwww@perl.org>)
4 items found
cpan> install GAAS/libwww-perl-5.837.tar.gz
and now, my vCLI is working well.

Hope this help you.

calba
Contributor
Contributor

Hi,

It seems it was deprecated when LWP changed from 5.8x to 6.0. The culprit is LWP::UserAgent.

You can bypass the issue by downloading the SSL certificate from the vCenter and setting HTTPS_CA_FILE=MyCertFile.

Since there is -for now, I hope- what to disable the check enforcement on the LWP module, would it be possible to add the cert file as one of the standard parameters on the Perl SDK?

Cheers

César

Reply
0 Kudos
Pumpkinh
Contributor
Contributor

export PERL_LWP_SSL_VERIFY_HOSTNAME=0

It's works.

Reply
0 Kudos
gerritl
Contributor
Contributor

Hi

Thank you SO mych, degdoo, your post sorted me after many hours of trawling through the Net!

I run Open SuSE 11.4 as a standalone server, trying to connect to my ESXi 5.0 server , and had endless trouble trying to run any vSphere SDK for Perl script ( like the connect.pl )

I installed vSphere SDK for Perl on a standalone server, with the aim to run the HealthCheck script on it.

I got these errors:

Server version unavailable at 'https://X.X.X.X:443/sdk/vimService.wsdl' at /usr/lib/perl5/5.12.3/VMware/VICommon.pm line 545, <STDIN> line 2.

I also set the environment variable:

export PERL_LWP_SSL_VERIFY_HOSTNAME=0

This resulted in the following error, plus a very long wait, and finally, another error:

------------------------------------------------------------------------------------------------------------------------------------------------

*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
*******************************************************************
Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
together with SSL_ca_file|SSL_ca_path for verification.
If you really don't want to verify the certificate and keep the
connection open to Man-In-The-Middle attacks please set
SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
*******************************************************************
  at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
Connection Successful
SOAP request error - possibly a protocol issue: <?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
<soapenv:Body>
<RetrievePropertiesResponse xmlns="urn:vim25"><returnval><obj type="ServiceInstance">ServiceInstance</obj><propSet><name>capability</name><val xsi:type="Capability"><provisioningSupported>false</provisioningSupported><multiHostSupported>false</multiHostSupported><userShellAccessSupported>true</userShellAccessSupported></val></propSet><propSet><name>content</name><val xsi:type="ServiceContent"><rootFolder type="Folder">ha-folder-root</rootFolder><propertyCollector type="PropertyCollector">ha-property-collector</propertyCollector><viewManager type="ViewManager">V

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

I followed the instructions posted by "degdoo", installing "libwww-perl" as instructed.

This works 100% now, and I don't even have to set the environment variable as listed above!

Thanks again, this was very useful, and saved me a lot of time.

Reply
0 Kudos
cawley
Contributor
Contributor

install GAAS/libwww-perl-5.837.tar.gz

Also, worked for me - Thanks

Chris

Reply
0 Kudos
MR-Z
VMware Employee
VMware Employee

works for me!

Reply
0 Kudos
user9876
Contributor
Contributor

Hey! I also have the same problem, but unfortunately degdoo advise didn't help....

Does anyone knows how to solve this issue?

Thanks

Reply
0 Kudos
nitinaran
Contributor
Contributor

Thanks a lot degdoo.

I was having the same problem and your solution resolved the problem for me.

Reply
0 Kudos
gctdaTI
Contributor
Contributor

Thanks, your info made my day end with a smile!

Reply
0 Kudos