Hi,
On Monday 29 April 2019 16:46:38 [email protected] wrote:
I'm running a web scraper against a large number of devices that use HTTPS
for configuration and ran into an issue where some of the older devices
select a cipher suite that causes the SSL client to dump out a 'dh key too
short' error.
I can get resolve it by changing the list of available ciphers by running
perl in debug mode and adding $options{tls_ciphers} = 'DEFAULT:!DH' inside
of UserAgent->_connect.
I can't seem to find any way to get that value added to the IOLoop::TLS
(other than manually breaking in and adding it)
I'm admittedly a Mojo novice. Am I missing something obvious here or am I
resigned to have to forego the ease of UserAgent and roll my own IOLoop
client?
Mojolicious is using IO::Socket::SSL, so the easiest and cleanest way is to
change the global defaults of this module:
IO::Socket::SSL::set_defaults(
SSL_cipher_list => 'DEFAULT:!DH'
);
It should also be possible to set the ciphers in SSL_create_ctx_callback
(see
the IO::Socket::SSL doc).
Another (dirty) way is to monkey patch / replace the
Mojo::IOLoop::TLS::negotiate method and set the arguments:
use Mojo::Util qw(monkey_patch);
# keep a ref to the original method
my $orig_ioloop_tls_negotiate = \&Mojo::IOLoop::TLS::negotiate;
monkey_patch 'Mojo::IOLoop::TLS', negotiate => sub {
my ($self, $args) = (shift, ref $_[0] ? $_[0] : {@_});
$args->{tls_ciphers} = 'DEFAULT:!DH';
return $orig_ioloop_tls_negotiate->($self, $args);
};
I don't see a way to set the ciphers per connection.
Maybe UserAgent should be patched so ciphers can be passed around like
(tls_)cert/key/ca ?
Hope this helps
Vincent
--
You received this message because you are subscribed to the Google Groups
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
