Bug 750793 - LWP::UserAgent 'timeout' parameter does not work for HTTPS URLs
Summary: LWP::UserAgent 'timeout' parameter does not work for HTTPS URLs
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: perl-libwww-perl
Version: 15
Hardware: i386
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Petr Pisar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-11-02 11:48 UTC by Ingo van Lil
Modified: 2012-08-07 20:22 UTC (History)
3 users (show)

Fixed In Version: perl-Net-HTTP-6.02-1.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-07 20:22:07 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
CPAN 72580 0 None None None Never
CPAN 72676 0 None None None Never

Internal Links: 460716 755907

Description Ingo van Lil 2011-11-02 11:48:59 UTC
Description of problem:

The latest perl-libwww-perl updates (5.837-3.fc14 and 5.837-4.fc15) changed the default SSL Socket implementation from Net::SSL to IO::Socket::SSL because the former does not support host name verification. However the latter implementation appears to ignore 'timeout' parameter.


How reproducible: 100%

Steps to Reproduce:

1. Generate a self-signed certificate for a dummy SSL server:
   > openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out server.pem
   Type Enter to answer all questions

2. Start a dummy SSL server:
   > openssl s_server -key key.pem

3. Use Net::SSL to connect to the dummy server (old default behavior):
   > export PERL_LWP_SSL_VERIFY_HOSTNAME=0
   > export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
   > lwp-request -t 5 https://localhost:4433

4. Use IO::Socket::SSL to connect to the dummy server (new default behavior):
   > export PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL
   > lwp-request -t 5 https://localhost:4433


Actual results:

1. When using Net::SSL as SSL Socket implementation the request will time out after 5 seconds (as specified by the -t 5 parameter).

2. When using IO::Socket::SSL the request will not time out.


Expected results:

The request should time out after 5 seconds, independent of the SSL Socket implementation used.

Comment 1 Petr Pisar 2011-11-02 12:32:32 UTC
I think this is not related to this update. The time-out issue is known since year 2003 (https://rt.cpan.org/Public/Bug/Display.html?id=3316).

Comment 2 Ingo van Lil 2011-11-02 14:05:27 UTC
You're right, the bug was already present before the update. The update triggered the bug, though, because LWP now prefers IO::Socket::SSL (which somehow causes this issue) over Net::SSL (which works as expected but doesn't support host name verification).

Part of the problem appears to be the overwritten blocking() method in Net/HTTPS.pm: Net::SSL cannot deal with non-blocking sockets, so they replace the method with a NOP. IO::Socket::SSL on the other hand supports non-blocking sockets, and actually depends on it for the timeout feature, so in that case the blocking() method should not be a NOP. Unfortunately that change alone doesn't fix the problem, though.

Comment 3 Petr Pisar 2011-11-22 11:45:14 UTC
Since F16, HTTPS is implemented by perl-Net-HTTP package. Upstream decided to remove the no-op redefinition in Net-HTTP-6.02. (https://rt.cpan.org/Public/Bug/Display.html?id=72580). I think it's better to have one good implementation instead of two half-broken, so I will try removing the redefinition too in older Fedoras too.

Comment 4 Petr Pisar 2011-11-22 12:11:02 UTC
Fixed in F17 by perl-Net-HTTP-6.02-1.fc17.

Comment 5 Fedora Update System 2011-11-22 12:45:24 UTC
perl-Net-HTTP-6.02-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/perl-Net-HTTP-6.02-1.fc16

Comment 6 Fedora Update System 2011-11-23 01:02:10 UTC
Package perl-Net-HTTP-6.02-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing perl-Net-HTTP-6.02-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-16283/perl-Net-HTTP-6.02-1.fc16
then log in and leave karma (feedback).

Comment 7 Ingo van Lil 2011-11-23 18:01:31 UTC
After installing the updated package the described test case fails using either socket implementation:

 - Net::SSL cannot deal with non-blocking sockets, so lwp-request fails immediately.

 - Using IO::Socket::SSL the request still blocks indefinitely. "strace" shows that the socket is indeed correctly set to non-blocking but the read is simply retried in 100ms intervals.

The endless polling loop is in Net::HTTP::Methods::my_readline(), but I'm not sure if the problem should be fixed there or in LWP::Protocol::https (or both). I will file a bug report at the Net-HTTP tracker, maybe the author has an idea what should be done.

Comment 8 Petr Pisar 2011-11-24 10:01:42 UTC
But did you talk about F15? Because I performed tests in F17 and F16 and it works for both implementations:

$ rpm -q perl-libwww-perl perl-Net-HTTP
perl-libwww-perl-6.02-3.fc16.noarch
perl-Net-HTTP-6.02-1.fc16.noarch

# iptables -I OUTPUT -o lo -p tcp --dport 443 -j DROP

$ lwp-request -t 2 'https://127.0.0.1:443/'
Can't connect to 127.0.0.1:443 (timeout)

LWP::Protocol::https::Socket: connect: timeout at /usr/share/perl5/LWP/Protocol/http.pm line 51.

$ LANG=en_US.UTF-8 PERL_LWP_SSL_VERIFY_HOSTNAME=0 PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL lwp-request -t 2 'https://127.0.0.1:443/'
Connect failed: connect: timeout; Connection timed out at /usr/share/perl5/LWP/Protocol/http.pm line 31

$ LANG=en_US.UTF-8 PERL_LWP_SSL_VERIFY_HOSTNAME=0 PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL lwp-request -t 2 'https://127.0.0.1:443/'
Can't connect to 127.0.0.1:443 (timeout)

LWP::Protocol::https::Socket: connect: timeout at /usr/share/perl5/LWP/Protocol/http.pm line 51.

Comment 9 Ingo van Lil 2011-11-24 10:20:55 UTC
I was talking about F16. The difference between our test cases is that in your case the timeout occurs early during establishing the connection, while in my case the SSL connection is successfully established but the server takes too much time to handle the HTTP request.

The IO::Socket::SSL::connect_SSL() method correctly handles the timeout, but Net::HTTP::Methods::my_readline(), invoked by read_response_headers(), does not.

Comment 10 Fedora Update System 2011-12-02 21:33:13 UTC
perl-Net-HTTP-6.02-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora End Of Life 2012-08-07 20:22:10 UTC
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping


Note You need to log in before you can comment on or make changes to this bug.