Bug#1064058: libxml-stream-perl: TLS/SSL broken with IO-Socket-SSL >= 2.078 when hostname verification is enabled
Manfred Stock
m-debian at nfred.ch
Mon Feb 19 19:48:26 GMT 2024
Hi gregor,
Am Sun, Feb 18, 2024 at 01:41:20AM +0100 schrieb gregor herrmann:
> On Fri, 16 Feb 2024 15:56:04 +0100, Manfred Stock wrote:
>
> > after upgrading to Debian Bookworm, we noticed that the sendxmpp command
> > line tool was not working anymore in our setup. [...] Eventually, I came
> > up with a pull request [1] containing a patch that fixed it for us -
> > [...]
>
> Oh wow -- thank you!
you're welcome, and thanks for your quick response!
> I remember looking at #1050336 in libnet-xmpp-perl and having the
> suspicion that the problem is actually in libxml-stream-perl, but
> never managed to nail it down.
It actually took me a while, too ;). I think I ended up in XML-Stream
because of the debug output, especially the binary part that was printed
in the output of a read operation. A few detours later, I found the
IO-Socket-SSL release where it stopped working and remembered that
start_SSL() was called in XML::Stream and that an example in the
documentation somewhere passed a hostname, which wasn't done in
XML::Stream. In conclusion, the error handling in XML::Stream (and maybe
Net::XMPP as well) seems to have some room for improvement, and I also
noticed that some messages in the debug output are quite misleading (the
"We are secure", for example, that was printed in TLSClientProceed(),
simply wasn't correct, at this point, upgrading the socket to SSL/TLS
had failed).
> > Since the upstream seems quite inactive, it might be worth considering
> > to add this or a similar patch to the package in Debian, as I came
> > across several other bug reports in the Debian BTS which might actually
> > be caused by this issue, like #986971 [2], #1032868 [3] and maybe also
> > #1050336 [4] - at least the error messages in the first two look very
> > similar to what I saw.
>
> I've uploaded libxml-stream-perl 1.24-5 to unstable right now.
Thanks! I quickly tested this package and can confirm that it works for
me.
> I'd like to invite the submitters of the other bugs to tests if there
> problems are fixed with libxml-stream-perl 1.24-5.
>
> If yes, I'm happy to
> - do some BTS manipulation
> - more relevant: get this fix into bookworm for the next point
> release.
This would be great, thanks!
Cheers,
Manfred
More information about the pkg-perl-maintainers
mailing list