Crypt::SSLeay insecure!!!

There, that got your attention 8)

I've got a perl module to access the xml-based credit gateway at
http://www.eway.com.au/

The module has the CA certificate embedded in it, and writes the cert to a
file and sets $ENV{HTTPS_CA_FILE} to get Crypt::SSLeay to verify the site
cert against it.

The site recently changed its certificate and stopped this module working.
I tried embedding the new CA cert but it doesn't seem to want to verify.
I've checked something like 10 times now that the right cert is in there,
and tried a bunch of other guesses. No luck.

So, no cert verification. The site using this module is vulnerable to
DNS spoofing attacks. Well, it would be, except I've hacked its
/etc/hosts.

The program demonstrating this is here:

http://knobbits.org/archived/2005-07/ewaytest.pl.txt

I've tried it on both a modified debian woody box (Crypt::SSLeay 0.49,
LWP::UserAgent 2.001) and ubuntu breezy (Crypt::SSLeay 0.51,
LWP::UserAgent 2.033), with the same result.

Any ideas?

Mick.
--
Remove the -news from my email address.
http://mickworld.knobbits.org/