Opened 5 years ago

Closed 5 years ago

#11712 closed enhancement (fixed)

IO-Socket-SSL-2.062 (Perl Module)

Reported by: Douglas R. Reno Owned by: ken@…
Priority: normal Milestone: 8.4
Component: BOOK Version: SVN
Severity: normal Keywords:

Description (last modified by ken@…)

New minor version - was 2.061, now 2.062


  • Enable X509_V_FLAG_PARTIAL_CHAIN if supported by Net::SSLeay (1.83+) and OpenSSL (1.1.0+). This makes leaf certificates or intermediate certificates in the trust store be usable as full trust anchors too.


  • Support for TLS 1.3 session reuse. Needs Net::SSLeay 1.86+. Note that the previous (and undocumented) API for the session cache has been changed.
  • Support for multiple curves, automatic setting of curves and setting of supported curves in client. Needs Net::SSLeay 1.86+.
  • Enable Post-Handshake-Authentication (TLSv1.3 feature) client-side when client certificates are provided. Thanks to jorton[AT]redhat[DOT]com. Needs Net::SSLeay 1.86+.

Please note that last line.

Change History (10)

comment:1 by Bruce Dubbs, 5 years ago

Milestone: 8.58.4

Promote to 8,4,

comment:2 by ken@…, 5 years ago

Description: modified (diff)
Summary: IO-Socket-SSL-2.061 (Perl Module)IO-Socket-SSL-2.062 (Perl Module)

in reply to:  description comment:3 by ken@…, 5 years ago

Needs Net::SSLeay 1.86+.

Please note that last line.

Which is not yet released. Will try with our patched version of 1.85. Or perhaps better to use 1.86_06 from github (not updated since September).

Last edited 5 years ago by ken@… (previous) (diff)

comment:4 by ken@…, 5 years ago

Now recommends URI:

No library for handling international domain names found.
It will work but croak if you try to verify an international name against
a certificate.
It's recommended to install either Net::IDN::Encode, Net::LibIDN or URI version>=1.50

But testing with patched Net-SSLeay-1.85 continues to hang, burning 100% of 1 core (stopped it after 88 minutes).

comment:5 by ken@…, 5 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

It turns out I don't build this, except on my server (linked from ntp and wget for tests). A quick run of wget got a lot of tests, so I looked at the page and saw its perl deps for the testsuite. Installing libwww-perl and all its deps (a convenient way for me to get the required modules), 15 tests were skipped - I lack the other deps -, total 145, 130 passed.

Looked at ntp - it doesn't need the user to run the tests : a total of 59 tests, all passed.

comment:6 by ken@…, 5 years ago

A stealth update at github - the version of 1_86_06 is different from the old version I had lying around and which I used for testing. Retesting.

comment:7 by ken@…, 5 years ago

Differences look benign, but a test has changed. Otherwise, updates to yml, docs, etc. But the URL I used 30 minutes ago (which returns 1.86_06 instead of a names version) now fails.

Still working from firefox. I'm inclined to put this in and see if wget works later.

NB in IO::Socket::SSL one of the test results looks odd:

# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
# got stapled response as expected
# validation with default CA with OCSP defaults ok
# validation with default CA with OCSP full chain ok
# tcp connect to ok
# tcp connect to ok
# fingerprint matches
# validation with default CA w/o OCSP ok
t/external/ocsp.t ................. ok
# found 0 CA certs
t/external/usable_ca.t ............ skipped: no CA certs found

Given my issues in the last few days, I am surprised that mo CA certs were found :)

This appears to be caused by

my %have_ca;
# some systems seems to have junk in the CA stores
# so better wrap it into eval
eval {
    for my $f (
        ( $ca{SSL_ca_file} ? ($ca{SSL_ca_file}) : ()),
        ( $ca{SSL_ca_path} ? glob("$ca{SSL_ca_path}/*") :()),
        ) {
        open( my $fh,'<',$f ) or next;
        my $pem;
        while (<$fh>) {
            if ( m{^--+END} ) {
                my $cert = PEM_string2cert($pem.$_);
                $pem = undef;
                $cert or next;
                my $hash = Net::SSLeay::X509_subject_name_hash($cert);
                $have_ca{sprintf("%08x",$hash)} = 1;
            } elsif ( m{^--+BEGIN (TRUSTED |X509 |)CERTIFICATE-+} ) {
                $pem = $_; 
            } elsif ( $pem ) {
                $pem .= $_;

in that test. I have to assume it does not like the comments in fromt of each certificate in our ca-bundle.crt. Note that it (i.e. HTTP::Tiny pulled in) does not recommend installing Mozilla::CA so I'm not going to get worried by this, particularly since the tests complete and pass.

comment:8 by ken@…, 5 years ago

Updated in r21253. Attempting to use wget for Net-SSLeay still fails, so keeping open until someone can confirm that the command I put in does the job.

comment:9 by Bruce Dubbs, 5 years ago

There was a typo in the url for Net-SSLeay -O Net-SSLeay-1.86_06.tar.gz


I fixed that.

comment:10 by ken@…, 5 years ago

Resolution: fixed
Status: assignedclosed

Thanks. I don't understand how, I thought I pasted it from the plain wget command I had initially used.

Note: See TracTickets for help on using tickets.