Mojolicious::Lite HTTPS / SSL / TLS not working
908 views
Skip to first unread message
Celejar
May 21, 2019, 1:42:35 PM5/21/19
to Mojolicious
Hi,
I'm trying to access my Mojolicious::Lite web app via HTTPS, but it's not working: the SSL connection is apparently immediately reset by the server:
~$ perl/app.pl daemon -l https://*:3000
[2019-05-21 13:40:24.49479] [10969] [info] Listening at "https://*:3000"
Server available at https://127.0.0.1:3000
Server available at https://127.0.0.1:3000
~$ curl -v -k https://127.0.0.1:3000
* Expire in 0 ms for 6 (transfer 0x55d756de3dd0)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55d756de3dd0)
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
~$ openssl s_client -connect localhost:3000
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
~$ wget -v https://localhost:3000
--2019-05-21 11:17:27-- https://localhost:3000/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3000... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:3000... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.
* Expire in 0 ms for 6 (transfer 0x55d756de3dd0)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55d756de3dd0)
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
~$ openssl s_client -connect localhost:3000
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
~$ wget -v https://localhost:3000
--2019-05-21 11:17:27-- https://localhost:3000/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3000... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:3000... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.
Am I doing something wrong, or is something wrong with Mojo's SSL implementation?
Stefan Adams
May 21, 2019, 3:10:24 PM5/21/19
to mojolicious
Try your test out with a built-in HelloWorld app:
$ mojo daemon -l https://*:3000
Server available at https://127.0.0.1:3000
$ curl -k https://127.0.0.1:3000Your Mojo is working!
I doubt there's a problem with Mojo's SSL implementation as it doesn't really have one -- it relies on IO::Socket::SSL.
$ mojo versionCOREPerl (v5.22.1, linux)Mojolicious (8.12, Supervillain)OPTIONALCpanel::JSON::XS 4.04+ (n/a)EV 4.0+ (n/a)IO::Socket::Socks 0.64+ (n/a)IO::Socket::SSL 2.009+ (2.024)Net::DNS::Native 0.15+ (n/a)Role::Tiny 2.000001+ (2.000006)You might want to update your Mojolicious to 8.16!
Make sure everything is up to snuff with IO::Socket::SSL.
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/59b0dcdb-c5e2-47e9-9a61-72b9ee3bbd48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Celejar
May 22, 2019, 8:19:59 AM5/22/19
to Mojolicious
On Tuesday, May 21, 2019 at 3:10:24 PM UTC-4, Stefan Adams wrote:
Try your test out with a built-in HelloWorld app:$ mojo daemon -l https://*:3000Server available at https://127.0.0.1:3000$ curl -k https://127.0.0.1:3000Your Mojo is working!
~$ mojo daemon -l https://*:3000
Server available at https://127.0.0.1:3000
~$ curl -k https://127.0.0.1:3000
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
I doubt there's a problem with Mojo's SSL implementation as it doesn't really have one -- it relies on IO::Socket::SSL.$ mojo versionCOREPerl (v5.22.1, linux)Mojolicious (8.12, Supervillain)OPTIONALCpanel::JSON::XS 4.04+ (n/a)EV 4.0+ (n/a)IO::Socket::Socks 0.64+ (n/a)IO::Socket::SSL 2.009+ (2.024)Net::DNS::Native 0.15+ (n/a)Role::Tiny 2.000001+ (2.000006)You might want to update your Mojolicious to 8.16!
~$ mojo version
CORE
Perl (v5.28.1, linux)
CORE
Perl (v5.28.1, linux)
Mojolicious (8.12, Supervillain)
OPTIONAL
Cpanel::JSON::XS 4.04+ (n/a)
EV 4.0+ (4.25)
IO::Socket::Socks 0.64+ (n/a)
IO::Socket::SSL 2.009+ (2.060)
Net::DNS::Native 0.15+ (n/a)
Role::Tiny 2.000001+ (2.000006)
You might want to update your Mojolicious to 8.16!
Make sure everything is up to snuff with IO::Socket::SSL
What would you suggest I do, specifically?
Thanks,
To unsubscribe from this group and stop receiving emails from it, send an email to mojol...@googlegroups.com.
Stefan Adams
May 22, 2019, 10:21:56 AM5/22/19
to mojolicious
On Wed, May 22, 2019 at 7:20 AM Celejar <cel...@gmail.com> wrote:
Make sure everything is up to snuff with IO::Socket::SSLWhat would you suggest I do, specifically?
Unfortunately, I'll be of little help here. Did listening on https for your app ever work on this instance that is currently failing? The latest version of IO::Socket::SSL is 2.066 -- perhaps update? I think IO::Socket::SSL depends on Net::SSLeay, perhaps update it to the latest version 1.88? Of course, it's always a good idea to update Mojolicious to the latest version. Do those one at a time and test after each update. What about updating your openssl library openssl, libssl1.0.0, and libssl-dev? I'm on Ubuntu 16.04 with openssl 1.0.2g.
Before doing any of that, I'm just curious: openssl, curl, and wget all fail for you... what about trying the mojo useragent?
$ mojo get -k https://127.0.0.1:3000Your Mojo is working!
Message has been deleted
Dan Book
May 23, 2019, 2:18:10 PM5/23/19
to mojol...@googlegroups.com
You could easily try by installing them to a local::lib with cpanm and temporarily adding the local::lib to your PERL5LIB. This would at least help isolate the problem.
$ wget -qO cpanm https://cpanmin.us # or App::cpanminus probably available from repo
$ perl ./cpanm -l local Net::SSLeay IO::Socket::SSL
$ PERL5LIB=local/lib/perl5 perl app.pl daemon ...
-Dan
On Thu, May 23, 2019 at 2:04 PM Celejar <cel...@gmail.com> wrote:
On Wednesday, May 22, 2019 at 10:21:56 AM UTC-4, Stefan Adams wrote:On Wed, May 22, 2019 at 7:20 AM Celejar <cel...@gmail.com> wrote:Make sure everything is up to snuff with IO::Socket::SSLWhat would you suggest I do, specifically?Unfortunately, I'll be of little help here. Did listening on https for your app ever work on this instance that is currently failing? The latest version of IO::Socket::SSL is 2.066 -- perhaps update? I think IO::Socket::SSL depends on Net::SSLeay, perhaps update it to the latest version 1.88? Of course, it's always a good idea to update Mojolicious to the latest version. Do those one at a time and test after each update. What about updating your openssl library openssl, libssl1.0.0, and libssl-dev? I'm on Ubuntu 16.04 with openssl 1.0.2g.
Thanks. I'm not sure these version are available from the Debian repos, and installing them by hand will take some doing. [I already tried updating one of the perl modules via Debian's dh-make-perl tool, but the resulting package wouldn't install. I've never used raw CPAN.]
Before doing any of that, I'm just curious: openssl, curl, and wget all fail for you... what about trying the mojo useragent?$ mojo get -k https://127.0.0.1:3000Your Mojo is working!
$ mojo get -k https://127.0.0.1:3000
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
To view this discussion on the web visit https://groups.google.com/d/msgid/mojolicious/cb8237fb-7a77-4ac8-b4ee-add1fb233d33%40googlegroups.com.
Randall Sindlinger
May 23, 2019, 2:25:41 PM5/23/19
to Mojolicious
+1 for cpanm
I'd also suggest looking at trying out Perlbrew (https://perlbrew.pl/) for running a Perl independent of the debian install. But for just testing new versions of 1 or 2 modules, Dan's suggestion is probably simplest.
-Randall
On Thursday, May 23, 2019 at 2:18:10 PM UTC-4, Dan Book wrote:
You could easily try by installing them to a local::lib with cpanm and temporarily adding the local::lib to your PERL5LIB. This would at least help isolate the problem.$ wget -qO cpanm https://cpanmin.us # or App::cpanminus probably available from repo$ perl ./cpanm -l local Net::SSLeay IO::Socket::SSL$ PERL5LIB=local/lib/perl5 perl app.pl daemon ...-Dan
On Thu, May 23, 2019 at 2:04 PM Celejar <cel...@gmail.com> wrote:
--
On Wednesday, May 22, 2019 at 10:21:56 AM UTC-4, Stefan Adams wrote:On Wed, May 22, 2019 at 7:20 AM Celejar <cel...@gmail.com> wrote:Make sure everything is up to snuff with IO::Socket::SSLWhat would you suggest I do, specifically?Unfortunately, I'll be of little help here. Did listening on https for your app ever work on this instance that is currently failing? The latest version of IO::Socket::SSL is 2.066 -- perhaps update? I think IO::Socket::SSL depends on Net::SSLeay, perhaps update it to the latest version 1.88? Of course, it's always a good idea to update Mojolicious to the latest version. Do those one at a time and test after each update. What about updating your openssl library openssl, libssl1.0.0, and libssl-dev? I'm on Ubuntu 16.04 with openssl 1.0.2g.Thanks. I'm not sure these version are available from the Debian repos, and installing them by hand will take some doing. [I already tried updating one of the perl modules via Debian's dh-make-perl tool, but the resulting package wouldn't install. I've never used raw CPAN.]Before doing any of that, I'm just curious: openssl, curl, and wget all fail for you... what about trying the mojo useragent?$ mojo get -k https://127.0.0.1:3000Your Mojo is working!$ mojo get -k https://127.0.0.1:3000
SSL connect attempt failed
at /usr/share/perl5/Mojolicious/Command/get.pm line 77.
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojol...@googlegroups.com.
Luc Didry
May 24, 2019, 1:32:33 AM5/24/19
to mojol...@googlegroups.com
jeudi 23 mai 2019, 20:25:41 CEST Randall Sindlinger wrote:
> +1 for cpanm
>
> I'd also suggest looking at trying out Perlbrew (https://perlbrew.pl/) for
> running a Perl independent of the debian install. But for just testing new
> versions of 1 or 2 modules, Dan's suggestion is probably simplest.
>
> -Randall
You can also use Carton, which is very handy. See
> +1 for cpanm
>
> I'd also suggest looking at trying out Perlbrew (https://perlbrew.pl/) for
> running a Perl independent of the debian install. But for just testing new
> versions of 1 or 2 modules, Dan's suggestion is probably simplest.
>
> -Randall
https://mojolicious.io/blog/2018/12/22/use-carton-for-your-mojolicious-app-deployment/
on why and how use it.
--
Luc
https://fiat-tux.fr/
https://luc.frama.io/
Internet n'est pas compliqué, Internet est ce que vous en faites.
Celejar
May 24, 2019, 5:14:09 PM5/24/19
to Mojolicious
On Thursday, May 23, 2019 at 2:18:10 PM UTC-4, Dan Book wrote:
You could easily try by installing them to a local::lib with cpanm and temporarily adding the local::lib to your PERL5LIB. This would at least help isolate the problem.$ wget -qO cpanm https://cpanmin.us # or App::cpanminus probably available from repo$ perl ./cpanm -l local Net::SSLeay IO::Socket::SSL$ PERL5LIB=local/lib/perl5 perl app.pl daemon ...
Thanks - I knew there must be a relatively simple way to do this, but I didn't realize quite how simple ;)
I tried with up to date Net::SSLeay, IO::Socket::SSL, and Mojolicious itself, but the problem unfortunately persists:
~$ PERL5LIB=local/lib/perl5 mojo daemon -l https://*:3000
^Cyitzhak@lila:~$ PERL5LIB=local/lib/perl5 mojo version
CORE
Perl (v5.28.1, linux)
Mojolicious (8.17, Supervillain)
CORE
Perl (v5.28.1, linux)
Mojolicious (8.17, Supervillain)
OPTIONAL
Cpanel::JSON::XS 4.04+ (n/a)
EV 4.0+ (4.25)
IO::Socket::Socks 0.64+ (n/a)
IO::Socket::SSL 2.009+ (2.066)
Net::DNS::Native 0.15+ (n/a)
Role::Tiny 2.000001+ (2.000006)
This version is up to date, have fun!
$ mojo get -k https://127.0.0.1:3000
SSL connect attempt failed
at /usr/share/perl5/Mojolicious/Command/get.pm line 77.
SSL connect attempt failed
at /usr/share/perl5/Mojolicious/Command/get.pm line 77.
FWIW:
$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
OpenSSL 1.1.1b 26 Feb 2019
-Dan
On Thu, May 23, 2019 at 2:04 PM Celejar <cel...@gmail.com> wrote:
--
On Wednesday, May 22, 2019 at 10:21:56 AM UTC-4, Stefan Adams wrote:On Wed, May 22, 2019 at 7:20 AM Celejar <cel...@gmail.com> wrote:Make sure everything is up to snuff with IO::Socket::SSLWhat would you suggest I do, specifically?Unfortunately, I'll be of little help here. Did listening on https for your app ever work on this instance that is currently failing? The latest version of IO::Socket::SSL is 2.066 -- perhaps update? I think IO::Socket::SSL depends on Net::SSLeay, perhaps update it to the latest version 1.88? Of course, it's always a good idea to update Mojolicious to the latest version. Do those one at a time and test after each update. What about updating your openssl library openssl, libssl1.0.0, and libssl-dev? I'm on Ubuntu 16.04 with openssl 1.0.2g.Thanks. I'm not sure these version are available from the Debian repos, and installing them by hand will take some doing. [I already tried updating one of the perl modules via Debian's dh-make-perl tool, but the resulting package wouldn't install. I've never used raw CPAN.]Before doing any of that, I'm just curious: openssl, curl, and wget all fail for you... what about trying the mojo useragent?$ mojo get -k https://127.0.0.1:3000Your Mojo is working!$ mojo get -k https://127.0.0.1:3000
SSL connect attempt failed
at /usr/share/perl5/Mojolicious/Command/get.pm line 77.
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojol...@googlegroups.com.
Celejar
May 24, 2019, 5:19:14 PM5/24/19
to Mojolicious
On Thursday, May 23, 2019 at 2:18:10 PM UTC-4, Dan Book wrote:
You could easily try by installing them to a local::lib with cpanm and temporarily adding the local::lib to your PERL5LIB. This would at least help isolate the problem.$ wget -qO cpanm https://cpanmin.us # or App::cpanminus probably available from repo$ perl ./cpanm -l local Net::SSLeay IO::Socket::SSL$ PERL5LIB=local/lib/perl5 perl app.pl daemon ..
I knew there must be a simple way to do this, but I didn't realize just how simple it was ;)
I tried with an up to date Net::SSLeay, IO::Socket::SSL, and Mojolicious itself, but unfortunately the problem persists:
~$ PERL5LIB=local/lib/perl5 mojo version
CORE
Perl (v5.28.1, linux)
Mojolicious (8.17, Supervillain)
CORE
Perl (v5.28.1, linux)
Mojolicious (8.17, Supervillain)
OPTIONAL
Cpanel::JSON::XS 4.04+ (n/a)
EV 4.0+ (4.25)
IO::Socket::Socks 0.64+ (n/a)
IO::Socket::SSL 2.009+ (2.066)
Net::DNS::Native 0.15+ (n/a)
Role::Tiny 2.000001+ (2.000006)
This version is up to date, have fun!
~$ PERL5LIB=local/lib/perl5 mojo daemon -l https://*:3000
Server available at https://127.0.0.1:3000
~$ mojo get -k https://127.0.0.1:3000
FWIW:
~$ openssl version
OpenSSL 1.1.1b 26 Feb 2019
-Dan
On Thu, May 23, 2019 at 2:04 PM Celejar <cel...@gmail.com> wrote:
--
On Wednesday, May 22, 2019 at 10:21:56 AM UTC-4, Stefan Adams wrote:On Wed, May 22, 2019 at 7:20 AM Celejar <cel...@gmail.com> wrote:Make sure everything is up to snuff with IO::Socket::SSLWhat would you suggest I do, specifically?Unfortunately, I'll be of little help here. Did listening on https for your app ever work on this instance that is currently failing? The latest version of IO::Socket::SSL is 2.066 -- perhaps update? I think IO::Socket::SSL depends on Net::SSLeay, perhaps update it to the latest version 1.88? Of course, it's always a good idea to update Mojolicious to the latest version. Do those one at a time and test after each update. What about updating your openssl library openssl, libssl1.0.0, and libssl-dev? I'm on Ubuntu 16.04 with openssl 1.0.2g.Thanks. I'm not sure these version are available from the Debian repos, and installing them by hand will take some doing. [I already tried updating one of the perl modules via Debian's dh-make-perl tool, but the resulting package wouldn't install. I've never used raw CPAN.]Before doing any of that, I'm just curious: openssl, curl, and wget all fail for you... what about trying the mojo useragent?$ mojo get -k https://127.0.0.1:3000Your Mojo is working!$ mojo get -k https://127.0.0.1:3000
SSL connect attempt failed
at /usr/share/perl5/Mojolicious/Command/get.pm line 77.
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojol...@googlegroups.com.
Celejar
May 29, 2019, 8:16:39 AM5/29/19
to Mojolicious
On Friday, May 24, 2019 at 5:19:14 PM UTC-4, Celejar wrote:
I've reported a bug in the Debian BTS:
Vincent Tondellier
May 29, 2019, 1:07:50 PM5/29/19
to mojol...@googlegroups.com
Hi,
On mardi 21 mai 2019 19:42:35 CEST, Celejar wrote:
> I'm trying to access my Mojolicious::Lite web app via HTTPS, but it's not
> working: the SSL connection is apparently immediately reset by the server:
>
> ~$ perl/app.pl daemon -l https://*:3000
> [2019-05-21 13:40:24.49479] [10969] [info] Listening at "https://*:3000"
> Server available at https://127.0.0.1:3000
...
> ~$ openssl s_client -connect localhost:3000
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
This is usually the result when the server does not send a certificate
Did you generate and configure a certificate and key ?
Example (on Debian buster/testing) :
$ mojo daemon -l 'https://*:3000'
$ curl -k https://localhost:3000
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem
-days 2 -sha256 -subj '/CN=localhost'
$ mojo daemon -l 'https://*:3000?cert=cert.pem&key=key.pem'
$ curl -k https://localhost:3000
Your Mojo is working!
See the doc for how to use a configuration file :
https://mojolicious.org/perldoc/Mojolicious/Guides/Cookbook#Hypnotoad
https://mojolicious.org/perldoc/Mojo/Server/Daemon#listen
On mardi 21 mai 2019 19:42:35 CEST, Celejar wrote:
> I'm trying to access my Mojolicious::Lite web app via HTTPS, but it's not
> working: the SSL connection is apparently immediately reset by the server:
>
> ~$ perl/app.pl daemon -l https://*:3000
> [2019-05-21 13:40:24.49479] [10969] [info] Listening at "https://*:3000"
> Server available at https://127.0.0.1:3000
> ~$ openssl s_client -connect localhost:3000
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
Did you generate and configure a certificate and key ?
Example (on Debian buster/testing) :
$ mojo daemon -l 'https://*:3000'
$ curl -k https://localhost:3000
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to
localhost:3000
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem
-days 2 -sha256 -subj '/CN=localhost'
$ mojo daemon -l 'https://*:3000?cert=cert.pem&key=key.pem'
$ curl -k https://localhost:3000
Your Mojo is working!
See the doc for how to use a configuration file :
https://mojolicious.org/perldoc/Mojolicious/Guides/Cookbook#Hypnotoad
https://mojolicious.org/perldoc/Mojo/Server/Daemon#listen
Celejar
May 30, 2019, 1:40:28 PM5/30/19
to Mojolicious
On Wednesday, May 29, 2019 at 1:07:50 PM UTC-4, Vincent Tondellier wrote:
Hi,
On mardi 21 mai 2019 19:42:35 CEST, Celejar wrote:
...
> ~$ openssl s_client -connect localhost:3000
> CONNECTED(00000003)
> write:errno=104
> ---
> no peer certificate available
This is usually the result when the server does not send a certificate
Did you generate and configure a certificate and key ?
Example (on Debian buster/testing) :
...
$ openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem
-days 2 -sha256 -subj '/CN=localhost'
$ mojo daemon -l 'https://*:3000?cert=cert.pem&key=key.pem'
$ curl -k https://localhost:3000
Your Mojo is working!
Thanks - that works! But I shouldn't have to do this - according to the documentation:
Mojolicious contains a very portable non-blocking I/O HTTP and WebSocket server with Mojo::Server::Daemon ... Another huge advantage is that it supports TLS and WebSockets out of the box, a development certificate for testing purposes is built right in, so it just works, but you can specify all listen locations supported by "listen" in Mojo::Server::Daemon.
$ ./script/my_app daemon -l https://[::]:3000
Server available at https://[::]:3000
$ ./script/my_app daemon -l https://[::]:3000
Server available at https://[::]:3000
I see that Debian does ship the default certificate, in:
/usr/share/perl5/Mojo/IOLoop/resources/server.crt
/usr/share/perl5/Mojo/IOLoop/resources/server.key
/usr/share/perl5/Mojo/IOLoop/resources/server.key
Has Debian disabled it, or is there something that one needs to do to enable it? The documentation implies that running the server as I did should just work with the built-in certificate?
Nick Morrott
Jun 22, 2019, 9:15:47 PM6/22/19
to Mojolicious
On Thursday, May 30, 2019 at 6:40:28 PM UTC+1, Celejar wrote:
I see that Debian does ship the default certificate, in:/usr/share/perl5/Mojo/IOLoop/resources/server.crt
/usr/share/perl5/Mojo/IOLoop/resources/server.keyHas Debian disabled it, or is there something that one needs to do to enable it? The documentation implies that running the server as I did should just work with the built-in certificate?
The next Debian stable release (10/buster) is currently frozen and due for release 2019-07-06. It will be released with a system-wide minimum supported TLS version of 1.2, which the current mojolicious default https key does not support. As a result, connections over https using this certificate on current Debian testing/unstable and the next stable release "buster" will fail.
As you have noticed, creating new keys that are TLS 1.2+ compliant will work. It is also possible to adjust the minimum supported TLS version on your system, but this is not recommended.
I have created a PR for consideration which replaces the current keypair with one suitable for TLS 1.2+ at:
https://github.com/mojolicious/mojo/pull/1371
I would also recommend that the keys used during the TEST_TLS phase of the test suite similarly be updated to support TLS 1.2+.
Cheers,
Nick
Celejar
Jun 22, 2019, 11:18:53 PM6/22/19
to mojol...@googlegroups.com
On Sat, 22 Jun 2019 17:44:48 -0700 (PDT)
Nick Morrott <knowled...@gmail.com> wrote:
...
> The next Debian stable release (10/buster) is currently frozen and due for
> release 2019-07-06. It will be released with a system-wide minimum
> supported TLS version of 1.2, which the current mojolicious default https
> key does not support. As a result, connections over https using this
> certificate on current Debian testing/unstable and the next stable release
> "buster" will fail.
Ah, thanks for the explanation!
Celejar
Nick Morrott <knowled...@gmail.com> wrote:
...
> The next Debian stable release (10/buster) is currently frozen and due for
> release 2019-07-06. It will be released with a system-wide minimum
> supported TLS version of 1.2, which the current mojolicious default https
> key does not support. As a result, connections over https using this
> certificate on current Debian testing/unstable and the next stable release
> "buster" will fail.
Celejar
Nick Morrott
Jul 3, 2019, 5:09:56 AM7/3/19
to Mojolicious
Upstream have created a new TLS keypair which will be included in the next Mojolicious release.
My current plan is to review the update and upload a new 8.12 build which includes the updated keypair, targetting the first Debian "buster" point release.
Cheers,
Nick
Reply all
Reply to author
Forward
0 new messages