Bug 1672088

Summary: perl-Mojolicious version clash with perl-IO-Socket-SSL
Product: [Fedora] Fedora EPEL Reporter: Jonathan Larmour <jifl-bugzilla>
Component: perl-MojoliciousAssignee: Emmanuel Seyman <emmanuel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: emmanuel, perl-devel, ppisar, robinlee.sysu, yaneti
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: perl-Mojolicious-7.94-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-01 00:37:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Larmour 2019-02-03 18:42:34 UTC 
Description of problem:

The perl-Mojolicious module was updated recently from v7.67 to v7.94. As can be seen in /usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm (near the top) there is a fixed dependency there on 2.009+ of IO::Socket::SSL. However the current IO::Socket::SSL shipped in Enterprise Linux is still 1.94 (which is what perl-Mojolicious v7.67 wanted).

So either perl-Mojolicious should be downgraded (bad) or perl-IO-Socket-SSL should be upgraded (better), but at the moment the two modules are incompatible and anything using them fails instantly so something needs doing somewhere.

Version-Release number of selected component (if applicable):

perl-Mojolicious-7.94-1.el7.noarch
perl-IO-Socket-SSL-1.94-7.el7.noarch

How reproducible:

100% with anything using TLS with Mojolicious

Steps to Reproduce:

It's easiest to prove it just by looking in the files:

/usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm has this on line 29:
  return $self->emit(error => 'IO::Socket::SSL 2.009+ required for TLS support')
Comment 1 Petr Pisar 2019-02-04 10:10:18 UTC 
The only relevant change in IO::Socket::SSL 2.009 is ALPN support. Indeed Mojo/IOLoop/TLS.pm sets SSL_alpn_protocols attribute, but I cannot see a reason why Mojolicious could not work without ALPN. At the end it's only a hint to clients and Mojolicous has to check what requests clients send to it regardless what it advertised in the ALPN. Moreover a proper way of checking ALPN support is calling IO::Socket::SSL->can_alpn(), not comparing IO::Socket::SSL module version. I believe the IO::Socket::SSL version check should be removed from the Mojolious code.
Comment 2 Emmanuel Seyman 2019-02-05 07:04:29 UTC 
I pointed this bug out on Freenode/#mojo and got the following response:

12:51 < eseyman> FYI, https://bugzilla.redhat.com/show_bug.cgi?id=1672088
12:58 < kraih> hahaha, yea, good luck with that proposal!
13:01 < kraih> there's been security relevant changes in IO::Socket::SSL that we now rely on, we will never downgrade that dependency

Given that perl-IO-Socket-SSL in RHEL has several backported security fixes, I'm tempted to do what Petr suggests.
Comment 3 Fedora Update System 2019-03-03 21:05:46 UTC 
perl-Mojolicious-7.94-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
Comment 4 Fedora Update System 2019-03-04 01:50:34 UTC 
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
Comment 5 Emmanuel Seyman 2019-03-22 07:17:32 UTC 
Jonathan, I'ld really appreciate if you could give us some feedback before I push this off to stable.

Does this work for you? Are you able to use TLS with Mojolicious?
Comment 6 Fedora Update System 2019-04-01 00:37:57 UTC 
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.