Opened 6 years ago
Closed 6 years ago
#11712 closed enhancement (fixed)
IO-Socket-SSL-2.062 (Perl Module)
| Reported by: | Douglas R. Reno | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | 8.4 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
New minor version - was 2.061, now 2.062
2.062
- Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in the trust store be usable as full trust anchors too.
2.061
- Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+. Note that the previous (and undocumented) API for the session cache has been changed.
- Support for multiple curves, automatic setting of curves and setting of supported curves in client. Needs Net::SSLeay 1.86+.
- Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when client certificates are provided. Thanks to jorton[AT]redhat[DOT]com. Needs Net::SSLeay 1.86+.
Please note that last line.
Change History (10)
comment:1 by , 6 years ago
| Milestone: | 8.5 → 8.4 |
|---|
comment:2 by , 6 years ago
| Description: | modified (diff) |
|---|---|
| Summary: | IO-Socket-SSL-2.061 (Perl Module) → IO-Socket-SSL-2.062 (Perl Module) |
comment:3 by , 6 years ago
Needs Net::SSLeay 1.86+.
Please note that last line.
Which is not yet released. Will try with our patched version of 1.85. Or perhaps better to use 1.86_06 from github (not updated since September).
comment:4 by , 6 years ago
Now recommends URI:
WARNING No library for handling international domain names found. It will work but croak if you try to verify an international name against a certificate. It's recommended to install either Net::IDN::Encode, Net::LibIDN or URI version>=1.50
But testing with patched Net-SSLeay-1.85 continues to hang, burning 100% of 1 core (stopped it after 88 minutes).
comment:5 by , 6 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
It turns out I don't build this, except on my server (linked from ntp and wget for tests). A quick run of wget got a lot of tests, so I looked at the page and saw its perl deps for the testsuite. Installing libwww-perl and all its deps (a convenient way for me to get the required modules), 15 tests were skipped - I lack the other deps -, total 145, 130 passed.
Looked at ntp - it doesn't need the user to run the tests : a total of 59 tests, all passed.
comment:6 by , 6 years ago
A stealth update at github - the version of 1_86_06 is different from the old version I had lying around and which I used for testing. Retesting.
comment:7 by , 6 years ago
Differences look benign, but a test has changed. Otherwise, updates to yml, docs, etc. But the URL I used 30 minutes ago (which returns 1.86_06 instead of a names version) now fails.
Still working from firefox. I'm inclined to put this in and see if wget works later.
NB in IO::Socket::SSL one of the test results looks odd:
# tcp connect to www.chksum.de:443 ok # fingerprint matches # validation with default CA w/o OCSP ok # got stapled response as expected # validation with default CA with OCSP defaults ok # validation with default CA with OCSP full chain ok # tcp connect to www.bild.de:443 ok # tcp connect to revoked.grc.com:443 ok # fingerprint matches # validation with default CA w/o OCSP ok t/external/ocsp.t ................. ok # found 0 CA certs t/external/usable_ca.t ............ skipped: no CA certs found
Given my issues in the last few days, I am surprised that mo CA certs were found :)
This appears to be caused by
my %have_ca;
# some systems seems to have junk in the CA stores
# so better wrap it into eval
eval {
for my $f (
( $ca{SSL_ca_file} ? ($ca{SSL_ca_file}) : ()),
( $ca{SSL_ca_path} ? glob("$ca{SSL_ca_path}/*") :()),
) {
open( my $fh,'<',$f ) or next;
my $pem;
while (<$fh>) {
if ( m{^--+END} ) {
my $cert = PEM_string2cert($pem.$_);
$pem = undef;
$cert or next;
my $hash = Net::SSLeay::X509_subject_name_hash($cert);
$have_ca{sprintf("%08x",$hash)} = 1;
} elsif ( m{^--+BEGIN (TRUSTED |X509 |)CERTIFICATE-+} ) {
$pem = $_;
} elsif ( $pem ) {
$pem .= $_;
}
}
}
};
in that test. I have to assume it does not like the comments in fromt of each certificate in our ca-bundle.crt. Note that it (i.e. HTTP::Tiny pulled in) does not recommend installing Mozilla::CA so I'm not going to get worried by this, particularly since the tests complete and pass.
comment:8 by , 6 years ago
Updated in r21253. Attempting to use wget for Net-SSLeay still fails, so keeping open until someone can confirm that the command I put in does the job.
comment:9 by , 6 years ago
There was a typo in the url for Net-SSLeay -O Net-SSLeay-1.86_06.tar.gz
s/urban/rurban/
I fixed that.
comment:10 by , 6 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Thanks. I don't understand how, I thought I pasted it from the plain wget command I had initially used.
Promote to 8,4,