ν42

Does your code really depend on Crypt::SSLeay?

A. Sinan Unur

I added the following section to the development version of Crypt::SSLeay:

Starting with version 6.02 of LWP, https support was unbundled into LWP::Protocol::https. This module specifies as one of its prerequisites IO::Socket::SSL which is automatically used by LWP::UserAgent unless this preference is overridden separately. IO::Socket::SSL is a more complete implementation, and, crucially, it allows hostname verification. Crypt::SSLeay does not support this. At this point, Crypt::SSLeay is maintained to support existing software that already depends on it.

However, it is possible that your software does not really depend on Crypt::SSLeay, only on the ability of LWP::UserAgent class to communicate with sites over SSL/TLS.

If are using version LWP 6.02 or later, and therefore have installed LWP::Protocol::https and its dependencies, and do not explicitly use Net::SSL before loading LWP::UserAgent, or override the default socket class, you are probably using IO::Socket::SSL and do not really need Crypt::SSLeay

If you have both Crypt::SSLeay and IO::Socket::SSL installed, and would like to force LWP::UserAgent to use Crypt::SSLeay, you can use:

use Net::HTTPS;
$Net::HTTPS::SSL_SOCKET_CLASS = 'Net::SSL';
use LWP::UserAgent;

or

local $ENV{PERL_NET_HTTPS_SSL_SOCKET_CLASS} = 'Net::SSL';
use LWP::UserAgent;

or

use Net::SSL;
use LWP::UserAgent;

For example, metacpan tells me Finance::Quote has a declared dependency on Crypt::SSLeay. But, when I look at the source, I see:

my $ua;

  if ($USE_EXPERIMENTAL_UA) {
    $ua = Finance::Quote::UserAgent->new;
  } else {
    $ua = LWP::UserAgent->new;
  }

The other dependencies it declares are:

 "LWP::UserAgent" => 0,
    "Mozilla::CA" => 0,

That means, installing this module would pull in the latest LWP. Given that Crypt::SSLeay depends on LWP::Protocol::https, and that pulls in IO::Socket::SSL.

Since Finance::Quote does not seem to explicitly override the choice of plumbing, unless a user of the module set the environment variable PERL_NET_HTTPS_SSL_SOCKET_CLASS to Net::SSL.

See what I mean?

In conclusion, it is entirely possible that your code has been running without actually using Crypt::SSLeay for the past few years. Given the advantages of IO::Socket::SSL over Crypt::SSLeay, it is probably a good idea to ask yourself whether you really need to declare a dependency on Crypt::SSLeay.

Maybe all you need is a dependency on LWP::Protocol::https.

The updates I make to Crypt::SSLeay are mostly limited to build processes etc. They are not very frequent. The places that really depend on Crypt::SSLeay tend to have in place much older ecosystems. It is hard to diagnose problems in those environments if I break something. On the other hand, in more modern environments, your code that uses LWP::UserAgent to communicate over HTTPS is probably not touching anything within Crypt::SSLeay.

So, maybe it’s time to remove that declared dependency in your Makefile.PL.

This is my personal technical blog. Views expressed here are my own independently formed personal opinions. Nothing I say here necessarily represents or endorses, nor is it endorsed by, any of my past, present, and future employers and/or clients.

Affiliate links: I use affiliate links to link directly to products I actually bought and use. I have found these products useful, and I am sharing that information. If you click on those links, I receive a small commission. I am not compensated directly by any provider, seller, or producer to place these links.

Copyright © 2021 A. Sinan Unur

Terms