I've been scratching my head for a while: a script using WWW::Mechanize, that works perfectly on my workstation's Ubuntu 10.04 LTS, didn't want to work on my new laptop's Linux Mint Debian Edition. The scripts fetches content via HTTPS from an internal site of ours, that uses a certificate from our internal CA.

After checking some obvious stuff, I suspected that the reason was the SSL certificate issued by an unknown certification authority. A quick capture with wireshark confirmed that: "TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)".

I needed to make WWW::Mechanize's less picky, but the man page didn't say anything about the problem, nor did the FAQ. Some more google'ing showed that the problem was one layer down: LWP::UserAgent (a fundamental component in WWW::Mechanize). As the man page puts it:

           "verify_hostname" => $bool
               When TRUE LWP will for secure protocol schemes ensure
               it connects to servers that have a valid certificate
               matching the expected hostname.  If FALSE no checks are
               made and you can't be sure that you communicate with
               the expected peer.  The no checks behaviour was the
               default for libwww-perl-5.837 and earlier releases.

               This option is initialized from the
               PERL_LWP_SSL_VERIFY_HOSTNAME environment variable.  If
               this environment variable isn't set; then
               "verify_hostname" defaults to 1.

So: the default behaviour has changed, and LWP::UserAgent, now defaults to be picky when it comes to SSL verifications. It's a good thing, but in my case it was breaking my toy.

The fix? Quick and simple: switch from:

my $mech = WWW::Mechanize->new( autocheck => 0 ) ;

to

my $mech = WWW::Mechanize->new( autocheck => 0, ssl_opts => { verify_hostname => 0 } ) ;

Enjoy!