Skip Menu |

This queue is for tickets about the IO-Socket-SSL CPAN distribution.

Report information
The Basics
Id: 86684
Status: resolved
Priority: 0/
Queue: IO-Socket-SSL
People
Owner: Steffen_Ullrich [...] genua.de
Requestors: rjbs [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Jul 03 15:46:53 2013 rjbs [...] cpan.org - Ticket created
Subject: get "SSL wants a read first" on any IO::Socket::SSL later than 0.96
I'm trying to upgrade one of our software stacks at work. It is, forgive me, running with IO::Socket::SSL 0.96. One of the things it does is talk to the OpenSRS domain registrar API endpoint using their own library. At some point, it contacts their server something like this: perl -MLWP::UserAgent -e 'my $x = LWP::UserAgent->new ->get("https://horizon.opensrs.net:55443/"); use Data::Dumper; print Dumper($x);' I've just updated the entire set of installed libraries on this machine. In particular, that includes: IO::Socket::SSL 1.951 /Users/rjbs/.perlbrew/libs/19.1@std/lib/perl... LWP::UserAgent 6.05 /Users/rjbs/.perlbrew/libs/19.1@std/lib/perl... LWP::Protocol::https 6.04 /Users/rjbs/.perlbrew/libs/19.1@std/lib/perl... The request times out. Just now, I got "LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error." In previous requests, I was getting "SSL wants a read first." If I change nothing but IO::Socket::SSL to 0.96, it works. I get a 200 response with the expected content, which starts with: <!DOCTYPE OPS_envelope SYSTEM "ops.dtd"> 0.96 is what I'm using in production. 0.97 also works. 0.98 seems to be a non-release. 0.99 and every release I tested subsequent to that fails. I tested a dozen or so. The documentation says "If you are using non-blocking sockets read on, as version 0.98 added better support for non-blocking." and I can only assume some change to provide that is causing my difficulty, since "wants a read" seems to be a non-blocking-related error. This may not be a bug, exactly, but I'm not sure. Do you have any advice? Thank you very much for your time. -- rjbs
  Wed Jul 03 16:40:17 2013 Steffen_Ullrich [...] genua.de - Correspondence added
Am Mi 03. Jul 2013, 15:46:53, RJBS schrieb: Show quoted text
> I'm trying to upgrade one of our software stacks at work. It is, > forgive me, running with IO::Socket::SSL 0.96. > > ... > The request times out. Just now, I got "LWP::Protocol::https::Socket: > SSL connect attempt failed with unknown error." In previous > requests, I was getting "SSL wants a read first." > > ... > This may not be a bug, exactly, but I'm not sure. Do you have any > advice? >
It looks like the server simply does not respond, if it does not like the SSL client hello. There might be a lot of things like supported algorithms, various SSL options etc, which it might not like. I don't see anything which might have changed in this regard between 0.97 and 0.99, but maybe you used not only a different IO::Socket::SSL version, but also a different openssl version or Net::SSLeay version. Anyway, one of the things the server does not like is SNI support, e.g. where the client sends the hostname it want to connect, used if you have multiple SSL servers behind the same IP. SNI support is enabled by default since IO::Socket::SSL version 1.56. You might disable it by setting SSL_hostname => '', e.g. the following code works for me: my $ua = LWP::UserAgent->new; $ua->ssl_opts( SSL_hostname => '' ); my $x = $ua->get("https://horizon.opensrs.net:55443/"); print Dumper($x);
  Wed Jul 03 16:40:18 2013 The RT System itself - Status changed from 'new' to 'open'
  Wed Jul 03 16:40:18 2013 Steffen_Ullrich [...] genua.de - Status changed from 'open' to 'resolved'
  Wed Jul 03 16:40:18 2013 Steffen_Ullrich [...] genua.de - Taken