<div dir="ltr"><div>Ivan, I want to get back to you with an update. </div><div>We downgraded <span style="color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">Net/HTTPS/Any.pm to ver 11 and forced it to call Crypt::SSLeay. Somehow it ends up calling the LWP modules which properly handle the SNI. That's it! And this didn't break our other B:OP gateway to AuthorizeNet.</span></div><div><span style="color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">Thanks for your advice.</span></div><div><span style="color:rgb(0,0,0);font-family:Arial;white-space:pre-wrap">Doug</span></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Sep 12, 2022 at 12:56 PM Ivan Kohler <<a href="mailto:ivan@freeside.biz">ivan@freeside.biz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, Sep 12, 2022 at 10:22:30AM -0700, Doug Juhlin wrote:<br>
> Ivan, we're using several Business::OnlinePayment modules and suddenly had<br>
> a new problem. One vendor (WorldPay at <a href="http://secure.worldpay.com" rel="noreferrer" target="_blank">secure.worldpay.com</a>) seems to be<br>
> requiring that the SNI be passed along. But the BOP modules call<br>
> Net::SSLeay->get_https() which does not include the SNI. We found this<br>
> quote:<br>
> <br>
> <a href="https://stackoverflow.com/questions/67537126/perl-netssleay-and-server-name-indications" rel="noreferrer" target="_blank">https://stackoverflow.com/questions/67537126/perl-netssleay-and-server-name-indications</a><br>
> *get_https3 like many similar functions ultimately ends up in https_cat<br>
> where the SSL context setup and the SSL handshake are done. Unfortunately,<br>
> setting the server_name extension (SNI) is not done in this really old part<br>
> of the code, which comes from a time where SNI wasn't that essentially for<br>
> using HTTPS as it is today.*<br>
> <br>
> <br>
> Have you heard of this problem? Any suggestions?<br>
> <br>
> Do you know of any other functions like get_https() which handle the<br>
> detailed SSL handshaking and include the SNI?<br>
<br>
I have not encountered this problem before in a B:OP context, no.<br>
<br>
It looks like LWP supports SNI (unless IO::Socket::SSL or OpenSSL <br>
versions are very old). That seems the most straightforward to <br>
implement to me.<br>
<br>
As an aside:<br>
Net::SSLeay does have some sparse documentation concerning SNI, but the <br>
suggested client usage (set_tlsext_host_name) doesn't line up with what <br>
I see IO::Socket::SSL doing, so I dunno if that would work.<br>
<a href="https://metacpan.org/dist/Net-SSLeay/view/lib/Net/SSLeay.pod#Low-level-API:-Server-side-Server-Name-Indication-(SNI)-support" rel="noreferrer" target="_blank">https://metacpan.org/dist/Net-SSLeay/view/lib/Net/SSLeay.pod#Low-level-API:-Server-side-Server-Name-Indication-(SNI)-support</a><br>
<br>
-- <br>
Ivan Kohler<br>
President and Head Geek, Freeside Internet Services, Inc. <a href="http://freeside.biz/" rel="noreferrer" target="_blank">http://freeside.biz/</a><br>
Debian GNU/Linux developer | CPAN author | ski addict<br>
_______________________________________________<br>
bop-devel mailing list<br>
<a href="mailto:bop-devel@freeside.biz" target="_blank">bop-devel@freeside.biz</a><br>
<a href="http://mail.freeside.biz/cgi-bin/mailman/listinfo/bop-devel" rel="noreferrer" target="_blank">http://mail.freeside.biz/cgi-bin/mailman/listinfo/bop-devel</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div>Doug Juhlin<br><a href="mailto:doug@donor.com" target="_blank">doug@donor.com</a><br></div><img src="https://d36vh9gkg2fzwi.cloudfront.net/assets/UoSyhCN-hSSJGtX5UoCeDA/donordotcom_signature_image.png"><br></div></div></div></div></div></div></div>