Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled
gregor herrmann
gregoa at debian.org
Sun Feb 18 00:41:20 GMT 2024
On Fri, 16 Feb 2024 15:56:04 +0100, Manfred Stock wrote:
> after upgrading to Debian Bookworm, we noticed that the sendxmpp command
> line tool was not working anymore in our setup. During the investigation
> of this issue, I noticed that downgrading IO-Socket-SSL to the version
> in Bullseye made sendxmpp work again. I then started to try all versions
> of IO-Socket-SSL between the version in Bullseye and the one in Bookworm
> and found that it stopped working with version 2.078. Eventually, I came
> up with a pull request [1] containing a patch that fixed it for us -
> apparently, the way XML-Stream was using IO-Socket-SSL most likely
> always resulted in the hostname verification to be done against the IP
> address of the peer instead of an actual hostname, which was always
> considered to be successful in IO-Socket-SSL < 2.078, but not anymore in
> newer versions.
Oh wow -- thank you!
I remember looking at #1050336 in libnet-xmpp-perl and having the
suspicion that the problem is actually in libxml-stream-perl, but
never managed to nail it down.
> Since the upstream seems quite inactive, it might be worth considering
> to add this or a similar patch to the package in Debian, as I came
> across several other bug reports in the Debian BTS which might actually
> be caused by this issue, like #986971 [2], #1032868 [3] and maybe also
> #1050336 [4] - at least the error messages in the first two look very
> similar to what I saw.
I've uploaded libxml-stream-perl 1.24-5 to unstable right now.
I'd like to invite the submitters of the other bugs to tests if there
problems are fixed with libxml-stream-perl 1.24-5.
If yes, I'm happy to
- do some BTS manipulation
- more relevant: get this fix into bookworm for the next point
release.
Thanks again,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240218/752f0642/attachment-0001.sig>
More information about the pkg-perl-maintainers
mailing list