Login/Register
How do I set up SNI support for Mojolicious?
Asked Answered
Solved perlcpanmojolicious
M

2

6

Perl's Mojolicious supports Server Name Identification (SNI), which some web servers use to host several sites with one HTTPS certificate. I'm working on a system that's not set up to use this, and googling a bit doesn't turn up anything that makes the process clear and the various parts apparent. The StackOverflow question Perl LWP GET or POST to an SNI SSL URL mentions a few things.

So, what's everything I need to do?

Mediocrity answered 19/2, 2016 at 5:41 Comment(2)
I think your question should make clear if you are asking about client support for SNI (i.e. sending the server name in the ClientHello) or server support, i.e. making a multi-site Mojolicious server provide different certificates depending on which site the client requested. While the latter can be implemented with IO::Socket::SSL I'm not sure if Mojolicious provides a way to use it.Ambi
Answers for client and server would be the best.Mediocrity
M
6

First, it's not Mojolicious (or LWP or whatever) that supports SNI. It's IO::Socket::SSL, but not really, because it's Net::SSLeay, but not really because it's your version of openssl.

  • Install openssl 1.0 or later. You probably want to use the --prefix option to configure to install it in a fresh directory so you don't disturb what you already have and on which other things depend.
  • Update Net::SSLeay to compile it against the new openssl. You need version 1.50 or later. The issue here is that a later Net::SSLeay will happily work with an older openssl. Upgrading the module does not get you the new openssl.
  • Update IO::Socket::SSL to 1.56 or later. The earliest release is from 2012, so you should update anyway.
  • Mojolicious 2.83 (released in 2012, so old) added SNI support for clients, and Mojolicious 6.40 (a month ago) added it for all web servers.

You can find this info by looking in the Changes file for each module, but while we're here, let's get Net::SSLeay sorted with it's not as simple as installing the module.

Some things you have to pay attention to:

  • You need to compile perl, openssl, and Net::SSLeay with the same tools so that they are binary compatible.

Use the OPENSSL_PREFIX variable to tell cpan (and the stuff it runs) where to find the right openssl.

 $ export OPENSSL_PREFIX=/usr/local/ssl
 $ cpan Net::SSLeay IO::Socket::SSL

If you already have the latest Net::SSLeay but compiled against an older version of openssl, you can force install the module to recompile it even though cpan thinks its up-to-date:

 $ cpan -f Net::SSLeay IO::Socket::SSL

IO::Socket::SSL has methods to check this (added in 1.84):

 $ /usr/local/ssl/bin/openssl version
 OpenSSL 1.0.1r  28 Jan 2016
 $ perl -MIO::Socket::SSL -le 'print IO::Socket::SSL->VERSION'
 2.024
 $ perl -MIO::Socket::SSL -le 'print IO::Socket::SSL->can_client_sni'
 1
Mediocrity answered 19/2, 2016 at 5:49 Comment(2)
IO::Socket::SSL alone cannot do it. It needs to know the hostname it should add to the SSL handshake. If the name is given as PeerAddr it will be used but if only the IP address is given or an existing TCP sockets gets upgraded the name must be usually given explicitly with SSL_hostname. And that's what Mojo::IOLoop::Client is actually doing.Ambi
I'm not down with the answer yet. However, I'm not concerned about how it actually happens, just what I need to install and setup for it to happen.Mediocrity
R
-1

Not a direct answer to the question but a maybe better solution.

From my experience as an admin of shared hosting of ~400 domains, it's more convenient to configure SSL in Apache, and have Mojolicious running under mod_perl2.

Putting too much (network) configuration into the application is always a pain in the long run. In many cases multidomain applications can also become inconvenient.

Have configuration in Apache allows management by standard scripts, e.g. renewal of SSL-certs from letsencrypt.

Of course there can be strong reasons and special requirements for other setups worth the extra work.

Rumen answered 19/2, 2016 at 7:33 Comment(1)
I'm not looking for other solutions or a workaround.Mediocrity

© 2022 - 2024 — McMap. All rights reserved.