vSphere

 View Only
Expand all | Collapse all

SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

  • 1.  SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 11, 2012 05:41 AM
    Hi All I having trouble using the below command: using VMware-vSphere-Perl-SDK-5.1.0-780721.x86_64
    VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local


    Which gives me this :
    Server version unavailable at 'https://10.10.10.1:443/sdk/vimService.wsdl' at /usr/share/perl5/VMware/VICommon.pm line 545.

    So I run this which fixes the above error which leads me to the next: : export PERL_LWP_SSL_VERIFY_HOSTNAME=0

    Run this command again:

    VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
    And now get this error:
    *******************************************************************
    Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
    is depreciated! Please set SSL_verify_mode to SSL_VERIFY_PEER
    together with SSL_ca_file|SSL_ca_path for verification.
    If you really don't want to verify the certificate and keep the
    connection open to Man-In-The-Middle attacks please set
    SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
       at /usr/local/share/perl5/LWP/Protocol/http.pm line 31
      
       vim +31 /usr/local/share/perl5/LWP/Protocol/http.pm
      
           my $sock = $self->socket_class->new(PeerAddr => $host,
                                            PeerPort => $port,
                                            LocalAddr => $self->{ua}{local_address},
                                            Proto    => 'tcp',
                                            Timeout  => $timeout,
                                            KeepAlive => !!$conn_cache,
                                            SendTE    => 1,
                                            $self->_extra_sock_opts($host, $port),
                                           );
    Now the next part I am confused on:...
    These links below might provide the answer as I am a newbie to all the Perl fun...
    Anyone know?
    Thanks


  • 2.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 11, 2012 10:53 PM

    I have been experiencing the same exact issue as well.  Hoping somebody can provide some input.



  • 3.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 12, 2012 04:44 AM

    The maintainers of IO::Socket::SSL added the additional check in a recent version (1.79 maybe?).

    The problem I believe is that the LWP::UserAgent doesn't even expose the configuraiton options for environment variables.  To make it more complicated, the VMware VICommon.pm has two seperate locations where UserAgent is created (Vim::query_server_version & SoapClient::new).  Both would have to be changed to effectively fix the issue.

    Just out of curiousity, what version of IO::Socket::SSL are you using?  Run the following to print out the version number.

    perl -M'IO::Socket::SSL' -e 'print "$IO::Socket::SSL::VERSION\n"'

    I haven't been able to try this since none of my environments are using one of the newest IO::Socket::SSL versions, but maybe try switching to Net::SSL as a work around?  Alternatively, perhaps drop down to an older version of IO::Socket::SSL.

    Try adding this to the end of your script, let me know if it works.  This _should_ switch to Net::SSL.  You may have to install Net::SSL. 

    BEGIN {

       $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";

       $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;

    }



  • 4.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 12, 2012 05:06 AM

    I could only get that warning string if I explicity imported IO::Socket::SSL in my script.  If I imported Net::SSL just after, it worked.

    If the BEGIN { } block doesn't fix it as specified above, try import Net::SSL right after VMware::VIRuntime. 

    use VMware::VIRuntime;
    use Net::SSL;

    There's may be some preference (intended or not) for Net::SSL, or some other change in how LWP determine what SSL socket class to use.

    Let me know if either option works.  You may also need to install Net::SSL.



  • 5.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 12, 2012 05:46 AM
    Hi stumpr,
    Thanks for your reply:
    I have downgraded to: I just downgraded to IO::Socket::SSL 1.77 as mentioned here: http://communities.vmware.com/thread/428081?tstart=0

    Through this in the shell: export PERL_LWP_SSL_VERIFY_HOSTNAME=0

    Tried the command again: VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local
    It now lags for a while, then I get this awesome error :smileyhappy:

    SOAP request error - possibly a protocol issue:
    Then it spits a tonne of XML on the server details etc...

    Did a : cpan > install Net::SSL : found out it was already installed an I am using Net::SSL (2.85).


    Added this to: 
    BEGIN {
       $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = "Net::SSL";
       $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0;
    }
    vim /usr/share/perl5/VMware/VICommon.pm
    No difference am I altering the right file, sorry MASSIVE perl newbie so I am going to need step by step instructions....

    Thanks



  • 6.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 12, 2012 06:01 AM

    Ok so then I searched these forums some more and found an answer to the LAG SOAP error and used someones solution to  this:

    Start cpan shell: perl -MCPAN -e shell
    In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz

    VI_SERVER=10.10.10.1 VI_CREDSTORE=/etc/vicredentials.xml /usr/lib/vmware-vcli/apps/vm/vmcontrol.pl --operation reset --vmname testhost.test.local

    virtual machine 'testhost.test.local' under host  reset successfully


    It then worked :smileyhappy:

    Seriouslly a freaken pain:

    * Downgrade to IO-Socket-SSL from 1.77

    * Use these instructions next:

    Start cpan shell: perl -MCPAN -e shell
    In the shell, type: install GAAS/Net-HTTP-6.03.tar.gz
    Let me know how you guys go I have a dream of having a Linux / Pacemaker cluster one day and need this for "Fencing"...



  • 7.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 12, 2012 02:04 PM

    The IO::Socket::SSL update really shook things up and the modules that depend on it don't have the fall through options to modify the underlying ssl_opts built in.  It's a bit of a mess :/

    To be fair, it's not really a VMware SDK issue, but I do think some enhancements could be added to support it better.  It's a legitimate concern to stress the issue of blindly trusting certificates. 

    I suppose the proper solution would be to write a utility script to accept and build a certificate store that can be access with the CA ENV options that IO::Socket::SSL wants instead of SSL_verify_none.



  • 8.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Dec 26, 2012 04:38 PM

    I have gotten the same problem and now, I found out the cause for my environment.

    1. https_proxy

    My environment is befind a proxy, and "export https_proxy=..." seemed to be evil for vCLI.

    If you are using proxy, try "unset https_proxy".

    2. Perl_module version

    As mentioned in http://search.cpan.org/~gaas/libwww-perl-6.04/lib/LWP/UserAgent.pm,

    LWP will for secure protocol schemes ensure it connects to servers that have a valid certificate matching the expected hostname.

    in newer version than libwww-perl-5.837. libwww-perl-5.837 and earlier releases have no problem.

    So what I did is,

    remove ~/.cpan files and reinstall libwww-perl for my env.

    cpan> i /libwww-perl/

    ...

    Distribution    GAAS/libwww-perl-5.837.tar.gz
    Distribution    GAAS/libwww-perl-6.01.tar.gz
    Distribution    GAAS/libwww-perl-6.04.tar.gz
    Author          LWWWP ("The libwww-perl mailing list" <libwww@perl.org>)
    4 items found
    cpan> install GAAS/libwww-perl-5.837.tar.gz
    and now, my vCLI is working well.

    Hope this help you.



  • 9.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Feb 27, 2013 10:29 AM

    Hi

    Thank you SO mych, degdoo, your post sorted me after many hours of trawling through the Net!

    I run Open SuSE 11.4 as a standalone server, trying to connect to my ESXi 5.0 server , and had endless trouble trying to run any vSphere SDK for Perl script ( like the connect.pl )

    I installed vSphere SDK for Perl on a standalone server, with the aim to run the HealthCheck script on it.

    I got these errors:

    Server version unavailable at 'https://X.X.X.X:443/sdk/vimService.wsdl' at /usr/lib/perl5/5.12.3/VMware/VICommon.pm line 545, <STDIN> line 2.

    I also set the environment variable:

    export PERL_LWP_SSL_VERIFY_HOSTNAME=0

    This resulted in the following error, plus a very long wait, and finally, another error:

    ------------------------------------------------------------------------------------------------------------------------------------------------

    *******************************************************************
    Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
    is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
    together with SSL_ca_file|SSL_ca_path for verification.
    If you really don't want to verify the certificate and keep the
    connection open to Man-In-The-Middle attacks please set
    SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
    *******************************************************************
      at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
    *******************************************************************
    Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
    is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
    together with SSL_ca_file|SSL_ca_path for verification.
    If you really don't want to verify the certificate and keep the
    connection open to Man-In-The-Middle attacks please set
    SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
    *******************************************************************
      at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
    *******************************************************************
    Using the default of SSL_verify_mode of SSL_VERIFY_NONE for client
    is deprecated! Please set SSL_verify_mode to SSL_VERIFY_PEER
    together with SSL_ca_file|SSL_ca_path for verification.
    If you really don't want to verify the certificate and keep the
    connection open to Man-In-The-Middle attacks please set
    SSL_verify_mode explicitly to SSL_VERIFY_NONE in your application.
    *******************************************************************
      at /usr/lib/perl5/site_perl/5.12.3/LWP/Protocol/http.pm line 31
    Connection Successful
    SOAP request error - possibly a protocol issue: <?xml version="1.0" encoding="UTF-8"?>
    <soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    <soapenv:Body>
    <RetrievePropertiesResponse xmlns="urn:vim25"><returnval><obj type="ServiceInstance">ServiceInstance</obj><propSet><name>capability</name><val xsi:type="Capability"><provisioningSupported>false</provisioningSupported><multiHostSupported>false</multiHostSupported><userShellAccessSupported>true</userShellAccessSupported></val></propSet><propSet><name>content</name><val xsi:type="ServiceContent"><rootFolder type="Folder">ha-folder-root</rootFolder><propertyCollector type="PropertyCollector">ha-property-collector</propertyCollector><viewManager type="ViewManager">V

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    I followed the instructions posted by "degdoo", installing "libwww-perl" as instructed.

    This works 100% now, and I don't even have to set the environment variable as listed above!

    Thanks again, this was very useful, and saved me a lot of time.



  • 10.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Apr 10, 2013 02:29 PM

    install GAAS/libwww-perl-5.837.tar.gz

    Also, worked for me - Thanks

    Chris



  • 11.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Broadcom Employee
    Posted Nov 09, 2013 08:26 AM

    works for me!



  • 12.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Nov 03, 2014 11:22 AM

    Thanks a lot degdoo.

    I was having the same problem and your solution resolved the problem for me.



  • 13.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Jun 12, 2015 02:13 PM

    Thanks, your info made my day end with a smile!



  • 14.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Jan 12, 2013 12:11 PM

    Hi,

    It seems it was deprecated when LWP changed from 5.8x to 6.0. The culprit is LWP::UserAgent.

    You can bypass the issue by downloading the SSL certificate from the vCenter and setting HTTPS_CA_FILE=MyCertFile.

    Since there is -for now, I hope- what to disable the check enforcement on the LWP module, would it be possible to add the cert file as one of the standard parameters on the Perl SDK?

    Cheers

    César



  • 15.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Feb 04, 2013 05:24 PM

    export PERL_LWP_SSL_VERIFY_HOSTNAME=0

    It's works.



  • 16.  RE: SSL_verify_mode of SSL_VERIFY_NONE for client is depreciated!

    Posted Jan 09, 2014 03:46 PM

    Hey! I also have the same problem, but unfortunately degdoo advise didn't help....

    Does anyone knows how to solve this issue?

    Thanks