brian d foy brian d foy - 1 year ago 51
Perl Question

How do I set up SNI support for Mojolicious?

Perl's Mojolicious supports Server Name Identification (SNI), which some web servers use to host several sites with one HTTPS certificate. I'm working on a system that's not set up to use this, and googling a bit doesn't turn up anything that makes the process clear and the various parts apparent. The StackOverflow question Perl LWP GET or POST to an SNI SSL URL mentions a few things.

So, what's everything I need to do?

Answer Source

First, it's not Mojolicious (or LWP or whatever) that supports SNI. It's IO::Socket::SSL, but not really, because it's Net::SSLeay, but not really because it's your version of openssl.

  • Install openssl 1.0 or later. You probably want to use the --prefix option to configure to install it in a fresh directory so you don't disturb what you already have and on which other things depend.
  • Update Net::SSLeay to compile it against the new openssl. You need version 1.50 or later. The issue here is that a later Net::SSLeay will happily work with an older openssl. Upgrading the module does not get you the new openssl.
  • Update IO::Socket::SSL to 1.56 or later. The earliest release is from 2012, so you should update anyway.
  • Mojolicious 2.83 (released in 2012, so old) added SNI support for clients, and Mojolicious 6.40 (a month ago) added it for all web servers.

You can find this info by looking in the Changes file for each module, but while we're here, let's get Net::SSLeay sorted with it's not as simple as installing the module.

Some things you have to pay attention to:

  • You need to compile perl, openssl, and Net::SSLeay with the same tools so that they are binary compatible.

Use the OPENSSL_PREFIX variable to tell cpan (and the stuff it runs) where to find the right openssl.

 $ export OPENSSL_PREFIX=/usr/local/ssl
 $ cpan Net::SSLeay IO::Socket::SSL

If you already have the latest Net::SSLeay but compiled against an older version of openssl, you can force install the module to recompile it even though cpan thinks its up-to-date:

 $ cpan -f Net::SSLeay IO::Socket::SSL

IO::Socket::SSL has methods to check this (added in 1.84):

 $ /usr/local/ssl/bin/openssl version
 OpenSSL 1.0.1r  28 Jan 2016
 $ perl -MIO::Socket::SSL -le 'print IO::Socket::SSL->VERSION'
 $ perl -MIO::Socket::SSL -le 'print IO::Socket::SSL->can_client_sni'