Closed noxxi closed 1 year ago
It's really great news that IO::Socket::SSL now can find fresh CA bundle.
But looks this commit still breaks something: it will not install Mozilla::CA, so when IO::Socket::SSL::default_ca()
is false it tries to require Mozilla::CA;
but it won't be installed anyway.
I propose not to drop Mozilla::CA
from PREREQ_PM
But looks this commit still breaks something: it will not install Mozilla::CA, so when IO::Socket::SSL::default_ca() is false it tries to require Mozilla::CA; but it won't be installed anyway.
When IO::Socket::SSL is installed it will check for a usable CA store in the OpenSSL default places. If none is found (i.e. on Windows, Mac) it will add Mozilla::CA to PREREQ_PM and default_ca() will also look for this module if it cannot find anything usable in OpenSSL default places.
This means, that the situation you describe (where default_ca() returns nothing) should only happen if
If you instead continue to require Mozilla::CA at installation time you might install a module which does not get used. Debian will probably patch it out again, like they do currently (they use the system CA store instead, which they get with IO::Socket::SSL too).
Ah, you are right IO::Socket::SSL
will try to install Mozilla::CA
- I missed that. Btw but why try to fallback to Mozilla::CA in LWP::Protocol::https then?
@vsespb Read the commit message, which explains just that:
- Check at runtime if we have a recent IO::Socket::SSL which also
detected a usable CA. If not (like with older IO::Socket::SSL or with
Net::SSL) try to fall back to Mozilla::CA again.
- Only if fall back does not work complain and give the (corrected)
instructions about how to fix or to work around problem.
Since there is no activity on this pull request...
In the last time users get more and more problems because of the use of newer Mozilla::CA package with the 1024 bit CA removed combined with a problem with alternative trust path in the OpenSSL library. There is a workaround available with OpenSSL 1.0.2 (released only 4 month ago) but the necessary constant is not yet included in Net::SSLeay and IO::Socket::SSL. The other workaround is to make sure the older 1024 bit CA still exist on the system. This is true for most (all?) Linux/BSD systems and Debian patched LWP a long time ago to use the system CA instead of Mozilla::CA and thus does not run into the problems.
If this pull request would be applied more users could transparently profit from a usable system CA instead using of being forced to use the crippled Mozilla::CA.
For more details see https://rt.cpan.org/Ticket/Display.html?ShowHeaders=1&id=104759
I can merge this PR, but unfortunately cannot ship it. If Gisle or a PAUSE admin wanted to give me comaint (like I have on Net::HTTP, libwww-perl and URI for the purposes of bug fixes) I would be happy to ship this fix too.
It'd be great to see this merged and released. The current situation with new Mozilla::CA versions and older OpenSSL versions is quite painful.
@noxxi is this still an issue? Sorry that it has been neglected for so long.
@noxxi is this still an issue? Sorry that it has been neglected for so long.
As far as I can see there is no change in LWP done here. It still depends on Mozilla::CA (Makefile.PL) and still requires Mozilla::CA in LWP::Protocol::https unless the user has explicitly given another location. This way it does not make use of the default locations and requires an additional CA store (i.e. Mozilla::CA) to get updated if custom CA are in use.
@noxxi do you have a moment to rebase this? If not, I can look at it.
@noxxi do you have a moment to rebase this? If not, I can look at it.
Unfortunately I have abandoned the repository with these changes years ago, so I cannot easily rebase this.
@noxxi I'm happy to attempt a rebase in that case. 😄
If you are interested in joining the libwww-perl
GitHub org so, let me know and I will send you an invitation.
This handles issue#5 by letting newer versions of IO::Socket::SSL do the work to find out the proper CA. Only if this fails it falls back to either using Mozilla::CA or throwing an error. The pull requests has also the fixes for Debian#746576 in it.