From doug at donor.com  Sun Oct  2 16:43:17 2022
From: doug at donor.com (Doug Juhlin)
Date: Sun, 2 Oct 2022 18:43:17 -0500
Subject: [bop-devel] BOP needs the server name SNI
In-Reply-To: <Yx9y1wLYekhNoTbR@fleetpaw.420.am>
References: <Yx9q1sbO97sR3Mpt@fleetpaw.420.am>
 <Yx9y1wLYekhNoTbR@fleetpaw.420.am>
Message-ID: <CAJgT93BWBdVh6z2LK9t6pJMGouvckabMNJhey-DvZqsjfMoEjw@mail.gmail.com>

Ivan, I want to get back to you with an update.
We downgraded Net/HTTPS/Any.pm to ver 11 and forced it to call
Crypt::SSLeay. Somehow it ends up calling the LWP modules which properly
handle the SNI. That's it! And this didn't break our other B:OP gateway to
AuthorizeNet.
Thanks for your advice.
Doug

On Mon, Sep 12, 2022 at 12:56 PM Ivan Kohler <ivan at freeside.biz> wrote:

> On Mon, Sep 12, 2022 at 10:22:30AM -0700, Doug Juhlin wrote:
> > Ivan, we're using several Business::OnlinePayment modules and suddenly
> had
> > a new problem. One vendor (WorldPay at secure.worldpay.com) seems to be
> > requiring that the SNI be passed along. But the BOP modules call
> > Net::SSLeay->get_https() which does not include the SNI. We found this
> > quote:
> >
> >
> https://stackoverflow.com/questions/67537126/perl-netssleay-and-server-name-indications
> > *get_https3 like many similar functions ultimately ends up in https_cat
> > where the SSL context setup and the SSL handshake are done.
> Unfortunately,
> > setting the server_name extension (SNI) is not done in this really old
> part
> > of the code, which comes from a time where SNI wasn't that essentially
> for
> > using HTTPS as it is today.*
> >
> >
> > Have you heard of this problem? Any suggestions?
> >
> > Do you know of any other functions like get_https() which handle the
> > detailed SSL handshaking and include the SNI?
>
> I have not encountered this problem before in a B:OP context, no.
>
> It looks like LWP supports SNI (unless IO::Socket::SSL or OpenSSL
> versions are very old).  That seems the most straightforward to
> implement to me.
>
> As an aside:
>   Net::SSLeay does have some sparse documentation concerning SNI, but the
>   suggested client usage (set_tlsext_host_name) doesn't line up with what
>   I see IO::Socket::SSL doing, so I dunno if that would work.
>
> https://metacpan.org/dist/Net-SSLeay/view/lib/Net/SSLeay.pod#Low-level-API:-Server-side-Server-Name-Indication-(SNI)-support
>
> --
> Ivan Kohler
> President and Head Geek, Freeside Internet Services, Inc.
> http://freeside.biz/
> Debian GNU/Linux developer  |  CPAN author  |  ski addict
> _______________________________________________
> bop-devel mailing list
> bop-devel at freeside.biz
> http://mail.freeside.biz/cgi-bin/mailman/listinfo/bop-devel
>


-- 
Doug Juhlin
doug at donor.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.freeside.biz/pipermail/bop-devel/attachments/20221002/f4cc1537/attachment.html>