Skip to content

Make available the version of SSL/TLS protocol used in the connection #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 16, 2020
Merged

Make available the version of SSL/TLS protocol used in the connection #56

merged 2 commits into from
Jul 16, 2020

Conversation

jonjensen
Copy link
Contributor

I have often used the extra response headers to troubleshoot a connection, e.g.:

Client-SSL-Cipher: ECDHE-RSA-AES128-GCM-SHA256
Client-SSL-Socket-Class: IO::Socket::SSL

but I also need to know the TLS version being used (1.2 or 1.3 in this case).

I didn't see a way to tell that, so figured adding the same kind of header for the version # would make sense.

Please let me know if there's already a way, or a better way to do this. Thanks!

@coveralls
Copy link

coveralls commented Jun 19, 2020
edited
Loading

Coverage Status

Coverage increased (+0.7%) to 78.125% when pulling 35e8189 on jonjensen:master into 96ba0ba on libwww-perl:master.

skaji
skaji reviewed Jun 20, 2020
View reviewed changes
lib/LWP/Protocol/https.pm Outdated
my $self = shift;
$self->SUPER::_get_sock_info(@_);
my($res, $sock) = @_;
$sock->can('get_sslversion') and $res->header("Client-SSL-Version" => $sock->get_sslversion);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like get_sslversion() may return undef. So how about

diff --git lib/LWP/Protocol/https.pm lib/LWP/Protocol/https.pm
index 42451c6..f8fe07e 100644
--- lib/LWP/Protocol/https.pm
+++ lib/LWP/Protocol/https.pm
@@ -129,7 +129,7 @@ sub _get_sock_info
     my $self = shift;
     $self->SUPER::_get_sock_info(@_);
     my($res, $sock) = @_;
-    $sock->can('get_sslversion') and $res->header("Client-SSL-Version" => $sock->get_sslversion);
+    $sock->can('get_sslversion') and $res->header("Client-SSL-Version" => $sock->get_sslversion || "Unknown");
     $res->header("Client-SSL-Cipher" => $sock->get_cipher);
     my $cert = $sock->get_peer_certificate;
     if ($cert) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skaji @oalders Good point. Perhaps it would be better not to add the header at all when it's unknown, as with Net::SSL? That seems better than the arbitrary "Unknown" to me. E.g. something like:

$sock->can('get_sslversion')
    and my $sslversion = $sock->get_sslversion
    and $res->header("Client-SSL-Version" => $sslversion);

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, that sounds good to me. @skaji?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds reasonable.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@skaji @oalders Ok, new version pushed. My untested proposal above had a my scope problem, so this is slightly different.

@jonjensen
Make available the version of SSL/TLS protocol used in the connection
b983774 
Works only with IO::Socket::SSL; skipped for Net::SSL which doesn't
expose it.
@oalders
Copy link
Member

oalders commented Jun 23, 2020

@jonjensen do you think we could add a basic unit test for this? It looks like an object that can('get_sslversion') should mostly do the trick.

@jonjensen
Check for Client-SSL-* response headers in live test
35e8189 
And group the two separate requests into subtests.
@jonjensen
Copy link
Contributor Author

@oalders When I went to look at this, it seemed reasonable to add these artificial response header tests to the existing live apache.org request tests, rather than mocking a socket class. So I did that to t/apache.t and pushed a new commit.

Maybe it's overengineered or something that really would be better as a unit test rather than an integration test. Let me know what you think.

@oalders
Copy link
Member

oalders commented Jul 16, 2020

@jonjensen thanks for this! The live tests can be somewhat brittle, but I think the Apache tests have historically been pretty good, so this should be fine.

@oalders oalders merged commit dec281d into libwww-perl:master Jul 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@skaji skaji skaji left review comments

@oalders oalders oalders approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jonjensen @coveralls @oalders @skaji