Description of problem: The latest perl-libwww-perl updates (5.837-3.fc14 and 5.837-4.fc15) changed the default SSL Socket implementation from Net::SSL to IO::Socket::SSL because the former does not support host name verification. However the latter implementation appears to ignore 'timeout' parameter. How reproducible: 100% Steps to Reproduce: 1. Generate a self-signed certificate for a dummy SSL server: > openssl req -x509 -nodes -newkey rsa:1024 -keyout key.pem -out server.pem Type Enter to answer all questions 2. Start a dummy SSL server: > openssl s_server -key key.pem 3. Use Net::SSL to connect to the dummy server (old default behavior): > export PERL_LWP_SSL_VERIFY_HOSTNAME=0 > export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL > lwp-request -t 5 https://localhost:4433 4. Use IO::Socket::SSL to connect to the dummy server (new default behavior): > export PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL > lwp-request -t 5 https://localhost:4433 Actual results: 1. When using Net::SSL as SSL Socket implementation the request will time out after 5 seconds (as specified by the -t 5 parameter). 2. When using IO::Socket::SSL the request will not time out. Expected results: The request should time out after 5 seconds, independent of the SSL Socket implementation used.
I think this is not related to this update. The time-out issue is known since year 2003 (https://rt.cpan.org/Public/Bug/Display.html?id=3316).
You're right, the bug was already present before the update. The update triggered the bug, though, because LWP now prefers IO::Socket::SSL (which somehow causes this issue) over Net::SSL (which works as expected but doesn't support host name verification). Part of the problem appears to be the overwritten blocking() method in Net/HTTPS.pm: Net::SSL cannot deal with non-blocking sockets, so they replace the method with a NOP. IO::Socket::SSL on the other hand supports non-blocking sockets, and actually depends on it for the timeout feature, so in that case the blocking() method should not be a NOP. Unfortunately that change alone doesn't fix the problem, though.
Since F16, HTTPS is implemented by perl-Net-HTTP package. Upstream decided to remove the no-op redefinition in Net-HTTP-6.02. (https://rt.cpan.org/Public/Bug/Display.html?id=72580). I think it's better to have one good implementation instead of two half-broken, so I will try removing the redefinition too in older Fedoras too.
Fixed in F17 by perl-Net-HTTP-6.02-1.fc17.
perl-Net-HTTP-6.02-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/perl-Net-HTTP-6.02-1.fc16
Package perl-Net-HTTP-6.02-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing perl-Net-HTTP-6.02-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16283/perl-Net-HTTP-6.02-1.fc16 then log in and leave karma (feedback).
After installing the updated package the described test case fails using either socket implementation: - Net::SSL cannot deal with non-blocking sockets, so lwp-request fails immediately. - Using IO::Socket::SSL the request still blocks indefinitely. "strace" shows that the socket is indeed correctly set to non-blocking but the read is simply retried in 100ms intervals. The endless polling loop is in Net::HTTP::Methods::my_readline(), but I'm not sure if the problem should be fixed there or in LWP::Protocol::https (or both). I will file a bug report at the Net-HTTP tracker, maybe the author has an idea what should be done.
But did you talk about F15? Because I performed tests in F17 and F16 and it works for both implementations: $ rpm -q perl-libwww-perl perl-Net-HTTP perl-libwww-perl-6.02-3.fc16.noarch perl-Net-HTTP-6.02-1.fc16.noarch # iptables -I OUTPUT -o lo -p tcp --dport 443 -j DROP $ lwp-request -t 2 'https://127.0.0.1:443/' Can't connect to 127.0.0.1:443 (timeout) LWP::Protocol::https::Socket: connect: timeout at /usr/share/perl5/LWP/Protocol/http.pm line 51. $ LANG=en_US.UTF-8 PERL_LWP_SSL_VERIFY_HOSTNAME=0 PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL lwp-request -t 2 'https://127.0.0.1:443/' Connect failed: connect: timeout; Connection timed out at /usr/share/perl5/LWP/Protocol/http.pm line 31 $ LANG=en_US.UTF-8 PERL_LWP_SSL_VERIFY_HOSTNAME=0 PERL_NET_HTTPS_SSL_SOCKET_CLASS=IO::Socket::SSL lwp-request -t 2 'https://127.0.0.1:443/' Can't connect to 127.0.0.1:443 (timeout) LWP::Protocol::https::Socket: connect: timeout at /usr/share/perl5/LWP/Protocol/http.pm line 51.
I was talking about F16. The difference between our test cases is that in your case the timeout occurs early during establishing the connection, while in my case the SSL connection is successfully established but the server takes too much time to handle the HTTP request. The IO::Socket::SSL::connect_SSL() method correctly handles the timeout, but Net::HTTP::Methods::my_readline(), invoked by read_response_headers(), does not.
perl-Net-HTTP-6.02-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping