--- loncom/lonssl.pm	2015/11/07 18:41:11	1.13
+++ loncom/lonssl.pm	2015/11/08 03:15:13	1.14
@@ -1,5 +1,5 @@
 #
-# $Id: lonssl.pm,v 1.13 2015/11/07 18:41:11 raeburn Exp $
+# $Id: lonssl.pm,v 1.14 2015/11/08 03:15:13 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -37,6 +37,7 @@ use strict;
 
 use IO::Socket::INET;
 use IO::Socket::SSL;
+use Net::SSLeay;
 
 use Fcntl;
 use POSIX;
@@ -141,12 +142,21 @@ sub PromoteClientSocket {
     my $dupfno   = fcntl($PlaintextSocket, F_DUPFD, 0);
     Debug("Client promotion got dup = $dupfno\n");
 
+    # Starting with IO::Socket::SSL rev. 1.79, carp warns that a verify 
+    # mode of SSL_VERIFY_NONE should be explicitly set for client, if 
+    # verification is not to be used, and SSL_verify_mode is not set.
+    # Starting with rev. 1.95, the default became SSL_VERIFY_PEER which
+    # prevents connections to lond.
+    # Set SSL_verify_mode to Net::SSLeay::VERIFY_NONE() instead of to
+    # SSL_VERIFY_NONE for compatibility with IO::Socket::SSL rev. 1.01
+    # used by CentOS/RHEL/Scientific Linux 5).
     
     my $client = IO::Socket::SSL->new_from_fd($dupfno,
 					      SSL_use_cert => 1,
 					      SSL_key_file  => $KeyFile,
 					      SSL_cert_file => $MyCert,
-					      SSL_ca_file   => $CACert);
+					      SSL_ca_file   => $CACert,
+					      SSL_verify_mode => Net::SSLeay::VERIFY_NONE());
     
     if(!$client) {
 	$lasterror = IO::Socket::SSL::errstr();