Hi all, I'm posting XML to a web service, but I need to verify that the ssl certificate on the remote server is valid. This is my first time working with SSL (which is probably my real issue), and Crypt::SSLeay appears to be one way to do it. So I tried to setup an easy test:

use strict;
use LWP::UserAgent;

$ENV{ HTTPS_CA_FILE } = 'cacerts.pem';

my $ua  = LWP::UserAgent->new;
my $req = HTTP::Request->new('GET', 'https://mail.google.com/');
my $res = $ua->request($req);

print $res->header( 'client-ssl-warning' );
[download]

If I run this without the HTTPS_CA_FILE line, it prints "Peer certificate not verified", which makes sense. If I run it with the HTTPS_CA_FILE line included and with cacerts.pem in the same directory with the contents pulled from http://curl.haxx.se/docs/sslcerts.html , it prints nothing. I thought this was what I wanted, until I tried pointing HTTPS_CA_FILE to a blank file or file that didn't exist, and that also printed nothing.

(Adding $ENV{ HTTPS_DEBUG } = 1 prints the same debug info each time).

Am I wrong in thinking that pointing to a .pem of valid certificate signatures and the absence of a "client-ssl-warning" means the certificate was valid? It seems that as long as $ENV{ HTTPS_CA_FILE } is set to something, it doesn't matter what it's pointing to, the warning goes away.

I appreciate any help with this, or any pointers on other modules I perhaps should be using instead. I haven't been able to find any simple examples anywhere that just work, and haven't been able to put one together from TFM's.

Thanks