Steffen Ullrich

The variable is documented as `PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT` but the code actually uses `PERL_HTTP_TINY_INSECURE_BY_DEFAULT`, i.e. w/o the "SSL" in the name: ``` sub _verify_SSL_default { my ($self) = @_; # Check if...

> Mozilla::CA (v20221114) This is recent and should work for validating cpan.org, i.e. not disabling certificate validation should be needed. Please run your code with `perl -MIO::Socket::SSL=debug4 tinytest2.pl` to enable...

Looks like you run into the issue with certificate validation when cross-signing is used: cpan.org sends the following trust chain: ``` 0 s:CN = cpan.org i:C = US, O =...

The issue is not restricted to TLS 1.3 but is more only more likely then. With TLS 1.2 `can_read` will return true with incomplete TLS records, but a latter read...

Just to provide an inspiration on how to deal with broken users of IO::Socket::SSL (like HTTP::Tiny). Since 2014 there is a [documented way](https://metacpan.org/pod/IO::Socket::SSL#IO::Socket::SSL::set_args_filter_hack(\&code|'use_defaults')) to enforce specific arguments no matter how...

Also from my experience with moving IO::Socket::SSL to verification by default in 2012: I started in 11/2012 with a warning for everybody using the default of SSL_verify_mode that the behavior...

> ...Perl uses Mozilla::CA to validate servers instead of using the host's CA list, so anyone with a very out-of-date Mozilla::CA who updates to latest CPAN.pm will suddenly be unable...