Bug#914034: Bug#911938: libhttp-daemon-ssl-perl FTBFS: tests fail: Connection refused

[Dimitri John Ledkov]

Hi,

On Wed, 10 Apr 2019 15:22:09 +0200 Guilhem Moulin <guilhem at debian.org> wrote:
>
> Not setting the SSL_MODE_AUTO_RETRY flag back after removing O_NONBLOCK
> (ie commenting out `Net::SSLeay::set_mode($ssl, $mode_auto_retry);` in
> the patch) solves the problem with blocking I/O and select/poll, but
> breaks programs expecting SSL_read() to block until application data
> comes in.  (That is, programs not conforming to SSL_read()'s documented
> behavior — hence which would break on renegotiation with TLS <1.3; or
> programs relying on SSL_MODE_AUTO_RETRY being set, as in OpenSSL ≥1.1.1's
> default context flags.)
>

This issue concerns me a lot at the moment. I am currently trying to
upgrade OpenSSL from 1.1.0 to 1.1.1 in Ubuntu 18.04 LTS (bionic). And
as far as I understand all the comment on this debian bug report,
current application are potentially broken and brokeness happens more
often with TLSv1.3 and the new OpenSSL 1.1.1 defaults
(SSL_MODE_AUTO_RETRY).

As far as I understand we do not have a fixed LWP that works correctly
in blocking, non-blocking, tls 1.2 and tls 1.3. To prevent regressing
existing users further, does it make sense for me to make updates in
bionic that:

1) limit SSL_new and SSL_CTX_new to TLS v1.2 max
and
2) disable SSL_MODE_AUTO_RETRY by default for TLS v1.2 connections?

My goal is to keep existing breakages as is, without introducing new
ones, whilst getting OpenSSL 1.1.1 into bionic. Granted this will not
get TLS v1.3 enabled for perl server/clients without code changes, but
oh well. Those who want it, will be able to force / start using it.

Regards,

Dimitri.