Bug#1061660: liblwp-protocol-https-perl: Fail to verify certificates
gregor herrmann
gregoa at debian.org
Sun Jan 28 18:03:41 GMT 2024
On Sun, 28 Jan 2024 18:44:02 +0100, Christian Marillat wrote:
> > Does it work for you if you downgrade liblwp-protocol-https-perl to 6.11-1
> > from testing? If yes, which of the two hunks from [0] is causing the
> > problem?
> This issue doesn't exist with 6.11-1. I've seen this bug when 6.12 has
> been installed.
What doesn't help is that I've uploaded libio-socket-ssl-perl 2.085-1
as well … (Although with minimal changes as well.)
> The attached patch isn't clean :
Sorry, that was a diff of the upstream git tags.
From the debdiff:
#v+
diff -Nru liblwp-protocol-https-perl-6.11/lib/LWP/Protocol/https.pm liblwp-protocol-https-perl-6.12/lib/LWP/Protocol/https.pm
--- liblwp-protocol-https-perl-6.11/lib/LWP/Protocol/https.pm 2023-07-09 17:10:32.000000000 +0200
+++ liblwp-protocol-https-perl-6.12/lib/LWP/Protocol/https.pm 2024-01-22 18:51:33.000000000 +0100
@@ -56,7 +56,7 @@
}
}
$self->{ssl_opts} = \%ssl_opts;
- return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+ return (%ssl_opts, MultiHomed => 1, $self->SUPER::_extra_sock_opts);
}
# This is a subclass of LWP::Protocol::http.
@@ -96,9 +96,12 @@
if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) {
*_upgrade_sock = sub {
my ($self,$sock,$url) = @_;
+ # SNI should be passed there only if it is not an IP address.
+ # Details: https://github.com/libwww-perl/libwww-perl/issues/449#issuecomment-1896175509
+ my $host = $url->host_port() =~ m/:|^[\d.]+$/s ? undef : $url->host();
$sock = LWP::Protocol::https::Socket->start_SSL( $sock,
SSL_verifycn_name => $url->host,
- SSL_hostname => $url->host,
+ SSL_hostname => $host,
$self->_extra_sock_opts,
);
$@ = LWP::Protocol::https::Socket->errstr if ! $sock;
#v-
> > Do the errors from qa.debian.org go away if you run uscan as
> > "PERL_LWP_SSL_VERIFY_HOSTNAME=1 uscan …"?
> Still the same. I also this bug with gitlab.
Hm …
Cheers,
gregor
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240128/3bbe73a4/attachment.sig>
More information about the pkg-perl-maintainers
mailing list