Bug#929675: mojolicious: HTTPS / SSL / TLS is broken
Nick Morrott
knowledgejunkie at gmail.com
Sun Jun 23 01:58:29 BST 2019
On Tue, 28 May 2019 at 13:09, Celejar <celejar at gmail.com> wrote:
>
> Package: libmojolicious-perl
> Version: 8.12+dfsg-1
> Severity: important
> File: mojolicious
> Tags: upstream
>
> Mojolicious's HTTPS functionality is completely broken on my system
> (ordinary HTTP access works fine):
The default https server key supplied with mojolicious does not
support TLS 1.2, being an RSA:1024 key using SHA1 digests.
TLS 1.2 is now the default minimum supported version of TLS on
testing/unstable [1] and in the forthcoming Debian 10 "buster"
release.
[1] https://salsa.debian.org/debian/openssl/blob/debian/unstable/debian/README.debian
Replacing the keypair with one that does support TLS 1.2 (using
RSA:4096 and SHA256 digests) will work.
> Upstream tried to help, but seems to be out of ideas:
>
> https://groups.google.com/forum/#!topic/mojolicious/gjz-0uvUDLk
I have posted an update to that thread (currently held for
moderation). I have also created an upstream PR [2] which provides a
TLS 1.2-compliant keypair:
[2] https://github.com/mojolicious/mojo/pull/1371
Cheers,
Nick
More information about the pkg-perl-maintainers
mailing list