search

libwww-perl / LWP-Protocol-https

Provide https support for LWP::UserAgent
https://metacpan.org/pod/LWP::Protocol::https
Other
16 stars 35 forks source link

Make explicit requirement of Mozilla::CA obsolete #15

Closed noxxi closed 1 year ago

noxxi commented 10 years ago

This handles issue#5 by letting newer versions of IO::Socket::SSL do the work to find out the proper CA. Only if this fails it falls back to either using Mozilla::CA or throwing an error. The pull requests has also the fixes for Debian#746576 in it.

vsespb commented 10 years ago

It's really great news that IO::Socket::SSL now can find fresh CA bundle. But looks this commit still breaks something: it will not install Mozilla::CA, so when IO::Socket::SSL::default_ca() is false it tries to require Mozilla::CA; but it won't be installed anyway.

I propose not to drop Mozilla::CA from PREREQ_PM

noxxi commented 10 years ago

But looks this commit still breaks something: it will not install Mozilla::CA, so when IO::Socket::SSL::default_ca() is false it tries to require Mozilla::CA; but it won't be installed anyway.

When IO::Socket::SSL is installed it will check for a usable CA store in the OpenSSL default places. If none is found (i.e. on Windows, Mac) it will add Mozilla::CA to PREREQ_PM and default_ca() will also look for this module if it cannot find anything usable in OpenSSL default places.

This means, that the situation you describe (where default_ca() returns nothing) should only happen if

If you instead continue to require Mozilla::CA at installation time you might install a module which does not get used. Debian will probably patch it out again, like they do currently (they use the system CA store instead, which they get with IO::Socket::SSL too).

vsespb commented 10 years ago

Ah, you are right IO::Socket::SSL will try to install Mozilla::CA - I missed that. Btw but why try to fallback to Mozilla::CA in LWP::Protocol::https then?

tsibley commented 10 years ago

@vsespb Read the commit message, which explains just that:

- Check at runtime if we have a recent IO::Socket::SSL which also
  detected a usable CA. If not (like with older IO::Socket::SSL or with
  Net::SSL) try to fall back to Mozilla::CA again.
- Only if fall back does not work complain and give the (corrected)
  instructions about how to fix or to work around problem.
noxxi commented 9 years ago

Since there is no activity on this pull request...

In the last time users get more and more problems because of the use of newer Mozilla::CA package with the 1024 bit CA removed combined with a problem with alternative trust path in the OpenSSL library. There is a workaround available with OpenSSL 1.0.2 (released only 4 month ago) but the necessary constant is not yet included in Net::SSLeay and IO::Socket::SSL. The other workaround is to make sure the older 1024 bit CA still exist on the system. This is true for most (all?) Linux/BSD systems and Debian patched LWP a long time ago to use the system CA instead of Mozilla::CA and thus does not run into the problems.

If this pull request would be applied more users could transparently profit from a usable system CA instead using of being forced to use the crippled Mozilla::CA.

For more details see https://rt.cpan.org/Ticket/Display.html?ShowHeaders=1&id=104759

karenetheridge commented 9 years ago

I can merge this PR, but unfortunately cannot ship it. If Gisle or a PAUSE admin wanted to give me comaint (like I have on Net::HTTP, libwww-perl and URI for the purposes of bug fixes) I would be happy to ship this fix too.

oschwald commented 9 years ago

It'd be great to see this merged and released. The current situation with new Mozilla::CA versions and older OpenSSL versions is quite painful.

oalders commented 4 years ago

@noxxi is this still an issue? Sorry that it has been neglected for so long.

noxxi commented 4 years ago

@noxxi is this still an issue? Sorry that it has been neglected for so long.

As far as I can see there is no change in LWP done here. It still depends on Mozilla::CA (Makefile.PL) and still requires Mozilla::CA in LWP::Protocol::https unless the user has explicitly given another location. This way it does not make use of the default locations and requires an additional CA store (i.e. Mozilla::CA) to get updated if custom CA are in use.

oalders commented 1 year ago

@noxxi do you have a moment to rebase this? If not, I can look at it.

noxxi commented 1 year ago

@noxxi do you have a moment to rebase this? If not, I can look at it.

Unfortunately I have abandoned the repository with these changes years ago, so I cannot easily rebase this.

oalders commented 1 year ago

@noxxi I'm happy to attempt a rebase in that case. 😄

If you are interested in joining the libwww-perl GitHub org so, let me know and I will send you an invitation.