I found, that in HTTP::Tiny code is rewritten 'SSL_create_ctx_callback' parameter with explict one.
...
IO::Socket::SSL->start_SSL(
$self->{fh},
%$ssl_args,
SSL_create_ctx_callback => sub {
my $ctx = shift;
Net::SSLeay::CTX_set_mode($ctx, Net::SSLeay::MODE_AUTO_RETRY());
},
);
...
There are two ways how to fix this situation:
- Document this "feature"
- Allow use of user version of 'SSL_create_ctx_callback'
My use case
I have HTTP server with dual (post quantum and RSA) certificates.
#!/usr/bin/env perl
use strict;
use warnings;
use IO::Socket::SSL;
my $server = IO::Socket::SSL->new(
LocalAddr => '0.0.0.0',
LocalPort => 4433,
Listen => 10,
Proto => 'tcp',
Reuse => 1,
SSL_cert_file => {
'' => 'localhost-rsa.crt',
'%pqc' => 'localhost-mldsa.crt',
},
SSL_key_file => {
'' => 'localhost-rsa.key',
'%pqc' => 'localhost-mldsa.key',
},
) or die "Cannot listen on port 4433: $!";
print "Server is running on https://localhost:4433/\n";
while (my $client = $server->accept) {
$client->autoflush(1);
my $request = <$client>;
chomp $request if defined $request;
print "Request: $request\n";
# Response
print $client "HTTP/1.1 200 OK\r\n";
print $client "Content-Type: text/plain; charset=utf-8\r\n";
print $client "Content-Length: 12\r\n";
print $client "\r\n";
print $client "Hello World!\n";
close $client;
}
In client side the intention is connect by post quantum algorithm and connect by RSA algorithm.
First one is easy
use strict;
use warnings;
use Data::Printer;
use HTTP::Tiny;
my $host = 'localhost';
my $port = 4433;
my $http = HTTP::Tiny->new(
verify_SSL => 1,
SSL_options => {
SSL_ca_file => 'localhost-mldsa.crt',
},
);
my $ret = $http->get('https://'.$host.':'.$port);
p $ret;
Second one is possible only in situation when allow only certfikate algorithms in RSA.
In case of openssl command:
openssl s_client \
-connect localhost:4433 \
-CAfile localhost-rsa.crt \
-sigalgs 'rsa_pss_pss_sha256:rsa_pss_rsae_sha256' \
-verify_return_error </dev/null
In Perl by HTTP::Tiny it is possible by SSL_create_ctx_callback (as I understand) only. Like something:
SSL_create_ctx_callback => sub {
my $ctx = shift;
my $sigalgs = 'rsa_pss_pss_sha256:rsa_pss_rsae_sha256';
if (! Net::SSLeay::CTX_ctrl($ctx, 98, 0, $sigalgs)) {
die "Cannot set certificate algorithms.";
}
return $ctx;
},
But HTTP::Tiny is rewriting the callback.
What do you think about it?
I found, that in HTTP::Tiny code is rewritten 'SSL_create_ctx_callback' parameter with explict one.
There are two ways how to fix this situation:
My use case
I have HTTP server with dual (post quantum and RSA) certificates.
In client side the intention is connect by post quantum algorithm and connect by RSA algorithm.
First one is easy
Second one is possible only in situation when allow only certfikate algorithms in RSA.
In case of openssl command:
In Perl by HTTP::Tiny it is possible by SSL_create_ctx_callback (as I understand) only. Like something:
But HTTP::Tiny is rewriting the callback.
What do you think about it?