Description of problem:
The perl-Mojolicious module was updated recently from v7.67 to v7.94. As can be seen in /usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm (near the top) there is a fixed dependency there on 2.009+ of IO::Socket::SSL. However the current IO::Socket::SSL shipped in Enterprise Linux is still 1.94 (which is what perl-Mojolicious v7.67 wanted).
So either perl-Mojolicious should be downgraded (bad) or perl-IO-Socket-SSL should be upgraded (better), but at the moment the two modules are incompatible and anything using them fails instantly so something needs doing somewhere.
Version-Release number of selected component (if applicable):
100% with anything using TLS with Mojolicious
Steps to Reproduce:
It's easiest to prove it just by looking in the files:
/usr/share/perl5/vendor_perl/Mojo/IOLoop/TLS.pm has this on line 29:
return $self->emit(error => 'IO::Socket::SSL 2.009+ required for TLS support')
The only relevant change in IO::Socket::SSL 2.009 is ALPN support. Indeed Mojo/IOLoop/TLS.pm sets SSL_alpn_protocols attribute, but I cannot see a reason why Mojolicious could not work without ALPN. At the end it's only a hint to clients and Mojolicous has to check what requests clients send to it regardless what it advertised in the ALPN. Moreover a proper way of checking ALPN support is calling IO::Socket::SSL->can_alpn(), not comparing IO::Socket::SSL module version. I believe the IO::Socket::SSL version check should be removed from the Mojolious code.
I pointed this bug out on Freenode/#mojo and got the following response:
12:51 < eseyman> FYI, https://bugzilla.redhat.com/show_bug.cgi?id=1672088
12:58 < kraih> hahaha, yea, good luck with that proposal!
13:01 < kraih> there's been security relevant changes in IO::Socket::SSL that we now rely on, we will never downgrade that dependency
Given that perl-IO-Socket-SSL in RHEL has several backported security fixes, I'm tempted to do what Petr suggests.
perl-Mojolicious-7.94-2.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2019-da670fdaf9
Jonathan, I'ld really appreciate if you could give us some feedback before I push this off to stable.
Does this work for you? Are you able to use TLS with Mojolicious?
perl-Mojolicious-7.94-2.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.