develooper Front page | perl.perl5.porters | Postings from May 2021

Re: https "out of the box" on Win32 (was Re: PSC #021 2021-05-21)

Thread Previous | Thread Next
Tony Cook
May 25, 2021 06:48
Re: https "out of the box" on Win32 (was Re: PSC #021 2021-05-21)
Message ID:
On Tue, May 25, 2021 at 05:43:44AM +0000, Nicholas Clark wrote:
> On Tue, May 25, 2021 at 03:21:13PM +1000, Tony Cook wrote:
> > On Sun, May 23, 2021 at 03:30:24PM +0100, Neil Bowers wrote:
> > > Rik suggested that in this day and age Perl should really handle
> >   https, so we talked about that. Step 1 would be for Configure to
> >   notice that you've got openssl installed, so we could install
> >   Net::SSLeay for you. Even better would be if we could have
> >   IO::Socket::SSL included as well, so HTTP::Tiny could do https "out
> >   of the box". Possible 3rd step might be bundling openssl/libressl,
> >   but one step at a time. We'll talk about this some more.
> > 
> > I suspect on Win32 it would be simpler to use Win32::Internet (or
> > something that wraps the same APIs), of course there would need to be
> > another wrapper that selects that on Win32 and HTTP::Tiny otherwise.
> I wasn't aware of this. CPAN Testers is full of orange*
> but think that that is only because the module has no tests

Win32::Internet hasn't had a recent release, and four unresponded to
tickets, it may be that we need to adopt it or produce an alternative.

> > Another option would be an IO::Socket::SSL compatible wrapper around
> > the Win32 crypto API, but this would be a lot more effort.
> That sounds like a lot more work than your suggestion above.
> This is also writing C code on Win32, whereas the alternative is Perl code.

Yes, I don't think this one is practical, and is riskier from a
security point of view, as we'd have to write encryption protocol

Hopefully we'd use the highest level API we can, I suggested this only
because it would allow the current users of HTTP::Tiny to continue to
use that, with only HTTP::Tiny changing.

> > Either has the advantage that it uses the Windows certificate store,
> > which I think is more likely to be kept up to date than other sources.
> I wasn't aware that Windows did it this way. However, I have been bitten
> by certificates (or lack of them) on Linux, and how to get the current
> sets on older OSes without rolling a whole bunch of stuff yourself.
> So using the official store seems like the best way to make this actually
> work, instead of just being "marketing compatible with https".

We might want the same on OS X for similar reasons, though from what I
can tell the APIs require Objective C.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About