Bug#929675: mojolicious: HTTPS / SSL / TLS is broken

Celejar celejar at gmail.com
Tue May 28 13:05:59 BST 2019 

Package: libmojolicious-perl
Version: 8.12+dfsg-1
Severity: important
File: mojolicious
Tags: upstream

Mojolicious's HTTPS functionality is completely broken on my system
(ordinary HTTP access works fine):

~$ mojo daemon -l https://*:3000

Server available at https://127.0.0.1:3000

~$ curl -v -k https://127.0.0.1:3000
* Expire in 0 ms for 6 (transfer 0x55d756de3dd0)
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55d756de3dd0)
* Connected to 127.0.0.1 (127.0.0.1) port 3000 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:3000

~$ openssl s_client  -connect localhost:3000
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 283 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

~$ wget -v  https://localhost:3000
--2019-05-21 11:17:27--  https://localhost:3000/
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:3000... failed: Connection refused.
Connecting to localhost (localhost)|127.0.0.1|:3000... connected.
GnuTLS: Error in the pull function.
Unable to establish SSL connection.

~$ mojo get -k https://127.0.0.1:3000
SSL connect attempt failed
 at /usr/share/perl5/Mojolicious/Command/get.pm line 77.

The above is with Debian's versions of all software. I also tried using
locally installed, newer versions of IO::Socket::SSL, Net::SSLeay, and
Mojolicious itself, but it still does not work.

Upstream tried to help, but seems to be out of ideas:

https://groups.google.com/forum/#!topic/mojolicious/gjz-0uvUDLk

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libmojolicious-perl depends on:
ii  libjs-jquery               3.3.1~dfsg-3
ii  libjs-prettify             2015.12.04+dfsg-1.1
pn  libscalar-list-utils-perl  <none>
ii  perl                       5.28.1-6

Versions of packages libmojolicious-perl recommends:
pn  libcpanel-json-xs-perl       <none>
ii  libev-perl                   4.25-1
pn  libio-socket-ip-perl         <none>
pn  libio-socket-socks-perl      <none>
ii  libio-socket-ssl-perl        2.060-3
pn  libmojo-server-fastcgi-perl  <none>
ii  librole-tiny-perl            2.000006-1

libmojolicious-perl suggests no packages.

-- no debconf information

More information about the pkg-perl-maintainers mailing list