How to do insecure SSL connection in REST::Client perl

Question

I'm trying to replicate my curl command to REST::Client api call.

Curl command : curl -i --insecure -X POST -u username:password https://url

Take note of the --insecure

for some reason, api call should be like that when using curl.

So I have to replicate this using REST::Client api call

Answer 1

I've used a badssl.com example which you'll have to update:

#!/usr/bin/perl -w
use strict;
use REST::Client;
my $client = REST::Client->new();
$client->getUseragent()->ssl_opts(verify_hostname => 0); # --insecure
$client->getUseragent()->credentials("expired.badssl.com", "", "username", "password"); # -u
$client->POST("https://expired.badssl.com/"); # -X
print $client->responseContent(); # Print the response

Answer 2

I have not tried it but from reading the documentation it is possible to use REST::Client with a an existing LWP::UserAgent object. Then this would look something like this:

use LWP::UserAgent;
use REST::Client;

my $ua = LWP::UserAgent->new;
$ua->ssl_opts(SSL_verify_mode => 0); # maybe need verify_hostname => 0 too
REST::Client->new(useragent => $ua)

Note that disabling certificate validation using ssl_opts can be tricky since depending on the version of LWP::UserAgent used and the patches added by the distribution it will override options from IO::Socket::SSL in an interesting way.

Note also that disabling certificate validation is a very bad idea in the first place since it makes man in the middle attacks undetectable. It is instead recommended that you specify the CA used for issuing the servers certificate using SSL_ca_file and if necessary specify the hostname which should be used for validation with SSL_verifycn_name. Alternatively you can specify the expected certificate with SSL_fingerprint.