Skip Menu |

This queue is for tickets about the REST-Client CPAN distribution.

Report information
The Basics
Id: 102340
Status: resolved
Priority: 0/
Queue: REST-Client
People
Owner: Nobody in particular
Requestors: SHAW [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: (no value)
Fixed in: 273

History Show all quoted text
  Tue Feb 24 22:18:44 2015 SHAW [...] cpan.org - Ticket created
Subject: Necessary to Depend on Crypt::SSLeay Now?
Looks like you're using it for HTTPS support. When installing Crypt::SSLeay the following message is given: *** THIS IS NOT AN ERROR, JUST A MESSAGE FOR YOUR INFORMATION *** Do you really need Crypt::SSLeay? Starting with version 6.02 of LWP, https support was unbundled into LWP::Protocol::https. This module specifies as one of its prerequisites IO::Socket::SSL which is automatically used by LWP::UserAgent unless this preference is overridden separately. IO::Socket::SSL is a more complete implementation, and, crucially, it allows hostname verification. Crypt::SSLeay does not support this. At this point, Crypt::SSLeay is maintained to support existing software that already depends on it. However, it is possible that your software does not really depend on Crypt::SSLeay, only on the ability of LWP::UserAgent class to communicate with sites over SSL/TLS. If are using version LWP 6.02 or later, and therefore have installed LWP::Protocol::https and its dependencies, and do not explicitly use Net::SSL before loading LWP::UserAgent, or override the default socket class, you are probably using IO::Socket::SSL and do not really need Crypt::SSLeay. Before installing Crypt::SSLeay, you may want to try specifying a dependency on LWP::Protocol::https.
  Sat Feb 28 18:48:03 2015 miles [...] milescrawford.com - Correspondence added
Subject: Re: [rt.cpan.org #102340] Necessary to Depend on Crypt::SSLeay Now?
Date: Sat, 28 Feb 2015 15:47:54 -0800
To: bug-REST-Client [...] rt.cpan.org
From: Miles <miles [...] milescrawford.com>
I did use crypt ssleay intentionally at one point in order to support certain certificate validation options, but I wouldn't be surprised if it's no longer critical. Unfortunately I won't be able to take a look for a while as I'm on a long road-trip, but I'll leave this open to remind me. Thanks! -m On Tue, Feb 24, 2015 at 7:18 PM, sshaw via RT <bug-REST-Client@rt.cpan.org> wrote: Show quoted text
> Tue Feb 24 22:18:44 2015: Request 102340 was acted upon. > Transaction: Ticket created by SHAW > Queue: REST-Client > Subject: Necessary to Depend on Crypt::SSLeay Now? > Broken in: (no value) > Severity: Normal > Owner: Nobody > Requestors: SHAW@cpan.org > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=102340 > > > > Looks like you're using it for HTTPS support. When installing Crypt::SSLeay the following message is given: > > *** THIS IS NOT AN ERROR, JUST A MESSAGE FOR YOUR INFORMATION *** > > Do you really need Crypt::SSLeay? > > Starting with version 6.02 of LWP, https support was unbundled into > LWP::Protocol::https. This module specifies as one of its prerequisites > IO::Socket::SSL which is automatically used by LWP::UserAgent unless > this preference is overridden separately. IO::Socket::SSL is a more > complete implementation, and, crucially, it allows hostname > verification. Crypt::SSLeay does not support this. At this point, > Crypt::SSLeay is maintained to support existing software that already > depends on it. > > However, it is possible that your software does not really depend on > Crypt::SSLeay, only on the ability of LWP::UserAgent class to > communicate with sites over SSL/TLS. > > If are using version LWP 6.02 or later, and therefore have installed > LWP::Protocol::https and its dependencies, and do not explicitly use > Net::SSL before loading LWP::UserAgent, or override the default socket > class, you are probably using IO::Socket::SSL and do not really need > Crypt::SSLeay. > > Before installing Crypt::SSLeay, you may want to try specifying a > dependency on LWP::Protocol::https. > > >
  Sat Feb 28 18:48:04 2015 The RT System itself - Status changed from 'new' to 'open'
  Sat Feb 28 19:12:45 2015 GNUSTAVO [...] cpan.org - Correspondence added
Hi there, Miles Crawford. I'm GNUSTAVO at CPAN and I have a few modules depending on your REST::Client. Since I have recently gotten a few inquiries regarding my dependency on Crypt::SSLeay too I digged and found out that I'm depending on it through REST::Client. I took a look at the code and couldn't understand what's the purpose of these lines in sub REST::Client::request: #to ensure we use our desired SSL lib my $tmp_socket_ssl_version = $IO::Socket::SSL::VERSION; $IO::Socket::SSL::VERSION = undef; ... $IO::Socket::SSL::VERSION = $tmp_socket_ssl_version; I commented them out, replaced all references to Crypt::SSLeay by LWP::Protocol::https, and it passed the tests. I'm attaching the diff against version 272 for your review. Can you comment on it, please? Thank you!
Subject: 272.patch
diff --git a/META.yml b/META.yml index bda6a65..3e281a4 100644 --- a/META.yml +++ b/META.yml @@ -19,7 +19,7 @@ no_index: - inc - t requires: - Crypt::SSLeay: 0 + LWP::Protocol::https: 0 LWP::UserAgent: 0 URI: 0 perl: 5.8.0 diff --git a/Makefile.PL b/Makefile.PL index 182cc29..b8fa4d5 100644 --- a/Makefile.PL +++ b/Makefile.PL @@ -5,7 +5,7 @@ all_from 'lib/REST/Client.pm'; requires 'URI' => 0; requires 'LWP::UserAgent' => 0; -requires 'Crypt::SSLeay' => 0; +requires 'LWP::Protocol::https' => 0; test_requires 'Test::More' => '0.8'; WriteAll(); diff --git a/lib/REST/Client.pm b/lib/REST/Client.pm index 34c1437..4a0b8b4 100644 --- a/lib/REST/Client.pm +++ b/lib/REST/Client.pm @@ -79,7 +79,7 @@ our ($VERSION) = ('$Rev: 272 $' =~ /(\d+)/); use URI; use LWP::UserAgent; use Carp qw(croak carp); -use Crypt::SSLeay; +use LWP::Protocol::https; =head2 Construction and setup @@ -330,8 +330,8 @@ sub request { $url = $self->_prepareURL($url); #to ensure we use our desired SSL lib - my $tmp_socket_ssl_version = $IO::Socket::SSL::VERSION; - $IO::Socket::SSL::VERSION = undef; + #my $tmp_socket_ssl_version = $IO::Socket::SSL::VERSION; + #$IO::Socket::SSL::VERSION = undef; my $ua = $self->getUseragent(); if(defined $self->getTimeout()){ @@ -384,7 +384,7 @@ sub request { } my $res = $self->getFollow ? $ua->request($req) : $ua->simple_request($req); - $IO::Socket::SSL::VERSION = $tmp_socket_ssl_version; + #$IO::Socket::SSL::VERSION = $tmp_socket_ssl_version; $self->{_res} = $res;
  Sat Feb 28 19:14:29 2015 GNUSTAVO [...] cpan.org - Correspondence added
Oops, sorry. I sent my previous message before reading your message of a few minutes ago. Please, take your time to read it.
  Fri Aug 07 07:56:09 2015 KKANE [...] cpan.org - Correspondence added
As of Version 273(latest) REST::Client no longer depends on Crypt::SSLeay. Thanks, Kevin
  Fri Aug 07 07:56:11 2015 KKANE [...] cpan.org - Status changed from 'open' to 'resolved'
  Fri Aug 07 07:56:12 2015 KKANE [...] cpan.org - Fixed in 273 added