NAME
POE::Component::TLSify - Makes using SSL/TLS in the world of POE easy!
VERSION
version 0.04
SYNOPSIS
# look at the DESCRIPTION for client and server example code
DESCRIPTION
This component is a method to simplify the TLSification of a socket before it is passed to a POE::Wheel::ReadWrite wheel in your application.
Based on POE::Component::SSLify, instead of directly wrapping Net::SSLeay it uses IO::Socket::SSL and has slight differences in API as a result.
Client usage
# Import the module
use POE::Component::TLSify qw( Client_TLSify );
# Create a normal SocketFactory wheel and connect to a TLS-enabled server
my $factory = POE::Wheel::SocketFactory->new;
# Time passes, SocketFactory gives you a socket when it connects in SuccessEvent
# Convert the socket into a TLS socket POE can communicate with
my $socket = shift;
eval { $socket = Client_TLSify( $socket ) };
if ( $@ ) {
# Unable to TLSify it...
}
# Now, hand it off to ReadWrite
my $rw = POE::Wheel::ReadWrite->new(
Handle => $socket,
# other options as usual
);
Server usage
# !!! Make sure you have a public key + certificate
# excellent howto: http://www.akadia.com/services/ssh_test_certificate.html
# Import the module
use POE::Component::TLSify qw( Server_TLSify );
# Create a normal SocketFactory wheel to listen for connections
my $factory = POE::Wheel::SocketFactory->new;
# Time passes, SocketFactory gives you a socket when it gets a connection in SuccessEvent
# Convert the socket into a SSL socket POE can communicate with
my $socket = shift;
# Set the key + certificate file options to pass to IO::Socket::SSL
my $io_socket_ssl_args = {
SSL_cert_file => 'server.crt',
SSL_key_file => 'server.key',
};
eval { $socket = Server_TLSify( $socket, $io_socket_ssl_args ) };
if ( $@ ) {
# Unable to TLSify it...
}
# Now, hand it off to ReadWrite
my $rw = POE::Wheel::ReadWrite->new(
Handle => $socket,
# other options as usual
);
FUNCTIONS
Client_TLSify
This function tlsifies a client-side socket. You can pass several options to it:
my $socket = shift;
$socket = Client_TLSify( $socket, $io_socket_ssl_args, $callback );
$socket is the non-ssl socket you got from somewhere ( required )
$io_socket_ssl_args is a hashref of IO::Socket::SSL options to pass to that module
$callback is the callback hook on success/failure of tlsification
# This is an example of the callback and you should pass it as Client_SSLify( $socket, ... , \&callback );
sub callback {
my( $socket, $status, $errval ) = @_;
# $socket is the original sslified socket in case you need to play with it
# $status is either 1 or 0; with 1 signifying success and 0 failure
# $errval will be defined if $status == 0; it's whatever IO::Socket::SSL returned from errstr
# The return value from the callback is discarded
}
The function uses IO::Socket::SSL start_SSL
to start tlsification and calls connect_SSL
. The hashref of options passed in are passed to start_SSL
so you can adjust the tlsification to taste, such as adding client certificates, etc.
The callback unlike in POE::Component::SSLify must be the third argument. As with POE::Component::SSLify the callback can be a POE event, see postback/callback stuff in POE::Session.
Server_TLSify
This function sslifies a server-side socket. You can pass several options to it:
my $socket = shift;
my $io_socket_ssl_args = {
SSL_cert_file => 'server.crt',
SSL_key_file => 'server.key',
};
$socket = Server_TLSify( $socket, $io_socket_ssl_args, $callback );
$socket is the non-ssl socket you got from somewhere ( required )
$io_socket_ssl_args is a hashref of IO::Socket::SSL options to pass to that module
$callback is the callback hook on success/failure of tlsification
The function uses IO::Socket::SSL start_SSL
to start tlsification and calls accept_SSL
. The hashref of options passed in are passed to start_SSL
so you can adjust the tlsification to taste. At a minimum for a server you will require a certificate and key that should be passed with the SSL_cert_file
and SSL_key_file
options.
Please look at "Client_SSLify" for more details on the callback hook.
TLSify_GetSocket
Returns the actual IO::Socket::SSL socket used by the TLSified socket, useful for stuff like getpeername()/getsockname()
print "Remote IP is: " . inet_ntoa( ( unpack_sockaddr_in( getpeername( SSLify_GetSocket( $sslified_sock ) ) ) )[1] ) . "\n";
and all the other methods that IO::Socket::SSL provides.
TLSify_GetCipher
Returns the cipher used by the TLSified socket
print "SSL Cipher is: " . TLSify_GetCipher( $tlsified_sock ) . "\n";
NOTE: Doing this immediately after Client_TLSify or Server_TLSify will result in "(NONE)" because the SSL handshake is not done yet. The socket is nonblocking, so you will have to wait a little bit for it to get ready.
NOTES
Certificate Verification
POE::Component::SSLify did not do certificate validation and verification. IO::Socket::SSL does by default. It would be useful to make yourself aware of this default behaviour and check out the documentation for the following options SSL_verify_mode
, SSL_verify_callback
and SSL_ocsp_mode
.
Socket methods doesn't work
The new socket this module gives you actually is tied
socket magic, so you cannot do stuff like getpeername()
or getsockname()
. The only way to do it is to use "TLSify_GetSocket" and then operate on the IO::Socket::SSL socket it returns.
Dying to meet you ...
This module will die()
if TLSification process fails. So, it is recommended that you check for errors and not use SSL, like so:
eval { use POE::Component::TLSify };
if ( $@ ) {
$sslavailable = 0;
}
else {
$sslavailable = 1;
}
# Make socket SSL!
if ( $sslavailable ) {
eval { $socket = POE::Component::TLSify::Client_TLSify( $socket ) };
if ( $@ ) {
# Unable to TLSify the socket...
}
}
IO::Socket::SSL methods
The underlying socket is a IO::Socket::SSL so you may use any of the supported methods on the socket object. Use "TLSify_GetSocket" to retrieve that object.
Upgrading a non-ssl socket to SSL
You can have a normal plaintext socket, and convert it to TLS anytime. Just keep in mind that the client and the server must agree to tlsify at the same time, or they will be waiting on each other forever!
Downgrading a SSL socket to non-ssl
As of now this is unsupported. If you need this feature please let us know and we'll work on it together! In theory IO::Socket::SSL does provide a stop_SSL
method, so this should be possible.
ACKNOWLEDGEMENTS
Original POE::Component::SSLify:
Original code is entirely Rocco Caputo ( Creator of POE ) -> I (APOCAL) simply
packaged up the code into something everyone could use and accepted the burden
of maintaining it :)
POE::Component::TLSify is based on POE::Component::SSLify, I (BINGOS) simply
ported the code to use IO::Socket::SSL instead of using Net::SSLeay
Thanks also to Paul Evans (PEVANS), the IO::Async author, whose IO::Async::SSL
provided inspiration for using IO::Socket::SSL
AUTHORS
Chris Williams <chris@bingosnet.co.uk>
Apocalypse <APOCAL@cpan.org>
COPYRIGHT AND LICENSE
This software is copyright (c) 2020 by Chris Williams, Apocalypse.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.