Bug#1061660: liblwp-protocol-https-perl: Fail to verify certificates
gregor herrmann
gregoa at debian.org
Sun Jan 28 17:17:16 GMT 2024
Control: tag -1 + unreproducible
On Sun, 28 Jan 2024 09:07:00 +0100, Christian Marillat wrote:
> uscan from devscipts package fail to verify certificates afetr upgrading
> to liblwp-protocol-https-perl 6.12-1
Thanks for your bug report.
> ,----
> | uscan warn: In watchfile debian/watch, reading webpage
> | https://qa.debian.org/watch/sf.php/pcre/ failed: 500 SSL upgrade failed: hostname verification failed
> | uscan warn: In watchfile debian/watch, reading webpage
> | https://qa.debian.org/watch/sf.php/mjpeg/ failed: 500 SSL upgrade failed: hostname verification failed
> | uscan warn: In watchfile debian/watch, reading webpage
> | https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags failed: 500 SSL upgrade failed: SSL connect attempt failed error:0A000410:SSL routines::sslv3 alert handshake failure
> | uscan warn: In watchfile debian/watch, reading webpage
> | https://qa.debian.org/watch/sf.php/synfig/ failed: 500 SSL upgrade failed: hostname verification failed
> `----
I was a bit skeptical that these issues come from
liblwp-protocol-https-perl, as the changes between 6.11 and 6.12 are
small[0], and the errors sound like different issues:
- "hostname verification failed" might be the change in HTTP::Tiny …
or no, as that validates SSL certs; the error "hostname verification
failed" comes from libio-socket-ssl-perl
- "routines::sslv3 alert handshake failure" sounds like an openssl
configuration thing
Interestingly I can't reproduce the issue which makes diving into the
problem a bit hard:
% cat qa-sf-watch
version=4
https://qa.debian.org/watch/sf.php/pcre/ .*@ANY_VERSION@@ARCHIVE_EXT@
% cat gitlab-watch
version=4
https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags .*@ANY_VERSION@@ARCHIVE_EXT@
% for w in qa-sf-watch gitlab-watch; do uscan --report --watchfile $w --package abc --upstream-version 123; done
%
Does it work for you if you downgrade liblwp-protocol-https-perl to 6.11-1
from testing? If yes, which of the two hunks from [0] is causing the
problem?
Do the errors from qa.debian.org go away if you run uscan as
"PERL_LWP_SSL_VERIFY_HOSTNAME=1 uscan …"?
Does anyone else reading along have any ideas?
Cheers,
gregor
[0]
diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
index 16fce19..01a800b 100644
--- a/lib/LWP/Protocol/https.pm
+++ b/lib/LWP/Protocol/https.pm
@@ -56,7 +56,7 @@ EOT
}
}
$self->{ssl_opts} = \%ssl_opts;
- return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+ return (%ssl_opts, MultiHomed => 1, $self->SUPER::_extra_sock_opts);
}
# This is a subclass of LWP::Protocol::http.
@@ -96,9 +96,12 @@ sub _get_sock_info
if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) {
*_upgrade_sock = sub {
my ($self,$sock,$url) = @_;
+ # SNI should be passed there only if it is not an IP address.
+ # Details: https://github.com/libwww-perl/libwww-perl/issues/449#issuecomment-1896175509
+ my $host = $url->host_port() =~ m/:|^[\d.]+$/s ? undef : $url->host();
$sock = LWP::Protocol::https::Socket->start_SSL( $sock,
SSL_verifycn_name => $url->host,
- SSL_hostname => $url->host,
+ SSL_hostname => $host,
$self->_extra_sock_opts,
);
$@ = LWP::Protocol::https::Socket->errstr if ! $sock;
--
.''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
`-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240128/b4fe45cf/attachment.sig>
More information about the pkg-perl-maintainers
mailing list