IO::Socket::SSL seems to be ignoring SSL_VERIFY_NONE; this is on OSX 10.14.1 with perl 5.18.2 and CentOS 6.10 with perl 5.10.1:
#!/usr/bin/perl
#
# sslt
#
# Test ssl connections to self-signed sites
#
use strict;
use warnings;
use IO::Socket::SSL qw( SSL_VERIFY_NONE );
use LWP::UserAgent;
my $url = 'https://internal_site:18443/rest/v1';
my $method = 'GET';
my $ua = LWP::UserAgent->new;
$ua->agent('sslt/0.1');
$ua->ssl_opts(SSL_verify_mode => SSL_VERIFY_NONE);
# Create a request
my $req = HTTP::Request->new($method => $url);
print STDERR "Raw request ($method): $url\n";
# Send request to the user agent and get a response back
my $res = $ua->request($req);
print STDERR "Raw response: ", $res->message, " (", $res->code, ")\n";
exit 0;
results in:
$ sslt
Raw request (GET): https://internal_site:18443/rest/v1
Raw response: Can't connect to internal_site:18443 (certificate verify failed) (500)
That's not IO::Socket::SSL ignoring SSL_verify_mode but LWP overriding it. From LWP::Protocol::https:
sub _extra_sock_opts
{
my $self = shift;
my %ssl_opts = %{$self->{ua}{ssl_opts} || {}};
if (delete $ssl_opts{verify_hostname}) {
$ssl_opts{SSL_verify_mode} ||= 1; <<<<<<<<<<<<<<<<<<<<
$ssl_opts{SSL_verifycn_scheme} = 'www';
}
Thus, you have to set verify_hostname to 0 to actually disable validation. See also the ticket LWP::Protocol::https discards 0 value for SSL_VERIFY_mode.