Security Advisories (2)

CVE-2024-58134 (2025-05-03)

Mojolicious versions from 0.999922 for Perl uses a hard coded string, or the application's class name, as a HMAC session secret by default. These predictable default secrets can be exploited to forge session cookies. An attacker who knows or guesses the secret could compute valid HMAC signatures for the session cookie, allowing them to tamper with or hijack another user's session.

CVE-2024-58135 (2025-05-03)

Mojolicious versions from 7.28 for Perl may generate weak HMAC session secrets. When creating a default app with the "mojo generate app" tool, a weak secret is written to the application's configuration file using the insecure rand() function, and used for authenticating and protecting the integrity of the application's sessions. This may allow an attacker to brute force the application's session keys.

NAME

Mojo::IOLoop::TLS - Non-blocking TLS handshake

SYNOPSIS

use Mojo::IOLoop::TLS;

# Negotiate TLS
my $tls = Mojo::IOLoop::TLS->new($old_handle);
$tls->on(upgrade => sub ($tls, $new_handle) {...});
$tls->on(error => sub ($tls, $err) {...});
$tls->negotiate(server => 1, tls_version => 'TLSv1_2');

# Start reactor if necessary
$tls->reactor->start unless $tls->reactor->is_running;

DESCRIPTION

Mojo::IOLoop::TLS negotiates TLS for Mojo::IOLoop.

EVENTS

Mojo::IOLoop::TLS inherits all events from Mojo::EventEmitter and can emit the following new ones.

upgrade

$tls->on(upgrade => sub ($tls, $handle) {...});

Emitted once TLS has been negotiated.

error

$tls->on(error => sub ($tls, $err) {...});

Emitted if an error occurs during negotiation, fatal if unhandled.

ATTRIBUTES

Mojo::IOLoop::TLS implements the following attributes.

reactor

my $reactor = $tls->reactor;
$tls        = $tls->reactor(Mojo::Reactor::Poll->new);

Low-level event reactor, defaults to the reactor attribute value of the global Mojo::IOLoop singleton. Note that this attribute is weakened.

METHODS

Mojo::IOLoop::TLS inherits all methods from Mojo::EventEmitter and implements the following new ones.

can_tls

my $bool = Mojo::IOLoop::TLS->can_tls;

True if IO::Socket::SSL 2.009+ is installed and TLS support enabled.

negotiate

$tls->negotiate(server => 1, tls_version => 'TLSv1_2');
$tls->negotiate({server => 1, tls_version => 'TLSv1_2'});

Negotiate TLS.

These options are currently available:

server

server => 1

Negotiate TLS from the server-side, defaults to the client-side.

tls_ca

tls_ca => '/etc/tls/ca.crt'

Path to TLS certificate authority file.

tls_cert

tls_cert => '/etc/tls/server.crt'
tls_cert => {'mojolicious.org' => '/etc/tls/mojo.crt'}

Path to the TLS cert file, defaults to a built-in test certificate on the server-side.

tls_key

tls_key => '/etc/tls/server.key'
tls_key => {'mojolicious.org' => '/etc/tls/mojo.key'}

Path to the TLS key file, defaults to a built-in test key on the server-side.

tls_options

tls_options => {SSL_alpn_protocols => ['foo', 'bar'], SSL_verify_mode => 0x00, SSL_version => 'TLSv1_2'}

Additional options for IO::Socket::SSL.

new

my $tls = Mojo::IOLoop::TLS->new($handle);

Construct a new Mojo::IOLoop::Stream object.

	Global
`s`	Focus search bar
`?`	Bring up this help dialog

	GitHub
`g` `p`	Go to pull requests
`g` `i`	go to github issues (only if github is preferred repository)

	POD
`g` `a`	Go to author
`g` `c`	Go to changes
`g` `i`	Go to issues
`g` `d`	Go to dist
`g` `r`	Go to repository/SCM
`g` `s`	Go to source
`g` `b`	Go to file browse

	Search terms
module: (e.g. module:Plugin)
distribution: (e.g. distribution:Dancer auth)
author: (e.g. author:SONGMU Redis)
version: (e.g. version:1.00)