Bug#914034: Bug#911938: libhttp-daemon-ssl-perl FTBFS: tests fail: Connection refused

Guilhem Moulin guilhem at debian.org
Sun Apr 7 17:39:44 BST 2019 

On Sun, 07 Apr 2019 at 18:12:45 +0200, gregor herrmann wrote:
> On Sun, 18 Nov 2018 19:41:05 +0200, Niko Tyni wrote:
> 
>> Reiterating a bit: the underlying issue with TLSv1.3 seems to be related
>> to handling of 'non-application_data_records'.
>> 
>> The client tries to POST but gets an 'SSL wants a read first' error,
>> then waits until timeout for the socket to become writable.
>> 
>> A simple way to reproduce it here is
>> 
>> perl -MLWP::UserAgent -e 'LWP::UserAgent->new->post("https://facebook.com", { data => "foo" }) or die'
>> 
>> which deadlocks for me.
> 
> I can't reproduce this problem:

Interesting, are you talking TLS 1.3?

$ dpkg-query -l "libssl*" "libnet-ssleay-perl" "liblwp-protocol-https-perl" "libio-socket-ssl-perl"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                       Version      Architecture Description
+++-==========================-============-============-=================================================================
ii  libio-socket-ssl-perl      2.060-3      all          Perl module implementing object oriented interface to SSL sockets
ii  liblwp-protocol-https-perl 6.07-2       all          HTTPS driver for LWP::UserAgent
ii  libnet-ssleay-perl         1.85-2+b1    amd64        Perl module for Secure Sockets Layer (SSL)
ii  libssl-dev:amd64           1.1.1b-1     amd64        Secure Sockets Layer toolkit - development files
un  libssl-doc                 <none>       <none>       (no description available)
un  libssl0.9.8                <none>       <none>       (no description available)
un  libssl1.0-dev              <none>       <none>       (no description available)
ii  libssl1.1:amd64            1.1.1b-1     amd64        Secure Sockets Layer toolkit - shared libraries

$ openssl req -x509 -newkey rsa:4096 -keyout /tmp/key.pem -out /tmp/cert.pem -subj /CN=example.net -nodes
$ openssl s_server -accept 127.0.0.1:4433 -key /tmp/key.pem -cert /tmp/cert.pem -tls1_3
[…]

Then on a separate terminal, with SSL_MODE_AUTO_RETRY set (the default),
it blocks on read(2):

$ strace -eselect,read,write perl -MLWP::UserAgent -e 'LWP::UserAgent->new(ssl_opts =>
    {verify_hostname => 0, SSL_ca_file => "/tmp/cert.pem"})->post("https://127.0.0.1:4433", { data => "foo" })'
[…]
select(8, [3], [3], NULL, {tv_sec=180, tv_usec=0}) = 2 (in [3], out [3], left {tv_sec=179, tv_usec=999998})
read(3, "…", 5)   = 5
read(3, "…", 250) = 250
read(3, "…", 5)   = 5
read(3, "…", 250) = 250
read(3,

With SSL_MODE_AUTO_RETRY cleared, the handshake terminates and it waits
for the reply from the server:

$ strace -eselect,read,write perl -MLWP::UserAgent -e 'LWP::UserAgent->new(ssl_opts =>
    {verify_hostname => 0, SSL_ca_file => "/tmp/cert.pem"})->post("https://127.0.0.1:4433", { data => "foo" })'
[…]
select(8, [3], [3], NULL, {tv_sec=180, tv_usec=0}) = 2 (in [3], out [3], left {tv_sec=179, tv_usec=999998})
read(3, "…", 5)             = 5
read(3, "…", 250) = 250
write(3, "…", 216) = 216
select(8, [3], NULL, NULL, {tv_sec=180, tv_usec=0}) = 1 (in [3], left {tv_sec=179, tv_usec=999999})
read(3, "…", 5)             = 5
read(3, "…", 250) = 250
select(8, [3], NULL, NULL, {tv_sec=180, tv_usec=0}

(and the connection closes gracefuly when I write “HTTP/1.1
200\r\nContent-Length: 0\r\n\r\n” from the server)

> % time perl -MLWP::UserAgent -e 'LWP::UserAgent->new->post("https://twitter.com", { data => "foo" }) or die'
> perl -MLWP::UserAgent -e   0.13s user 0.02s system 36% cpu 0.415 total

twitter.com doesn't support TLS 1.3 though, right?

$ openssl s_client -4 -connect twitter.com:443 -servername twitter.com -tls1_3
CONNECTED(00000003)
139682444989504:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1536:SSL alert number 40

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20190407/fbd95f56/attachment-0001.sig>

More information about the pkg-perl-maintainers mailing list