Bug#1061660: liblwp-protocol-https-perl: Fail to verify certificates

gregor herrmann gregoa at debian.org
Sun Jan 28 17:17:16 GMT 2024 

Control: tag -1 + unreproducible

On Sun, 28 Jan 2024 09:07:00 +0100, Christian Marillat wrote:

> uscan from devscipts package fail to verify certificates afetr upgrading
> to liblwp-protocol-https-perl 6.12-1

Thanks for your bug report.
 
> ,----
> | uscan warn: In watchfile debian/watch, reading webpage
> |   https://qa.debian.org/watch/sf.php/pcre/ failed: 500 SSL upgrade failed: hostname verification failed
> | uscan warn: In watchfile debian/watch, reading webpage
> |   https://qa.debian.org/watch/sf.php/mjpeg/ failed: 500 SSL upgrade failed: hostname verification failed
> | uscan warn: In watchfile debian/watch, reading webpage
> |   https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags failed: 500 SSL upgrade failed: SSL connect attempt failed error:0A000410:SSL routines::sslv3 alert handshake failure
> | uscan warn: In watchfile debian/watch, reading webpage
> |   https://qa.debian.org/watch/sf.php/synfig/ failed: 500 SSL upgrade failed: hostname verification failed
> `----

I was a bit skeptical that these issues come from
liblwp-protocol-https-perl, as the changes between 6.11 and 6.12 are
small[0], and the errors sound like different issues:
- "hostname verification failed" might be the change in HTTP::Tiny …
  or no, as that validates SSL certs; the error "hostname verification
  failed" comes from libio-socket-ssl-perl
- "routines::sslv3 alert handshake failure" sounds like an openssl
  configuration thing


Interestingly I can't reproduce the issue which makes diving into the
problem a bit hard:


% cat qa-sf-watch 
version=4
https://qa.debian.org/watch/sf.php/pcre/ .*@ANY_VERSION@@ARCHIVE_EXT@


% cat gitlab-watch 
version=4
https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags .*@ANY_VERSION@@ARCHIVE_EXT@


% for w in qa-sf-watch gitlab-watch; do uscan --report --watchfile $w --package abc --upstream-version 123; done
%


Does it work for you if you downgrade liblwp-protocol-https-perl to 6.11-1
from testing? If yes, which of the two hunks from [0] is causing the
problem?
Do the errors from qa.debian.org go away if you run uscan as
"PERL_LWP_SSL_VERIFY_HOSTNAME=1 uscan …"?


Does anyone else reading along have any ideas?


Cheers,
gregor


[0]
diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm
index 16fce19..01a800b 100644
--- a/lib/LWP/Protocol/https.pm
+++ b/lib/LWP/Protocol/https.pm
@@ -56,7 +56,7 @@ EOT
         }
     }
     $self->{ssl_opts} = \%ssl_opts;
-    return (%ssl_opts, $self->SUPER::_extra_sock_opts);
+    return (%ssl_opts, MultiHomed => 1, $self->SUPER::_extra_sock_opts);
 }
    
 # This is a subclass of LWP::Protocol::http.
@@ -96,9 +96,12 @@ sub _get_sock_info
 if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) {
     *_upgrade_sock = sub {
        my ($self,$sock,$url) = @_;
+    # SNI should be passed there only if it is not an IP address.
+    # Details: https://github.com/libwww-perl/libwww-perl/issues/449#issuecomment-1896175509
+       my $host = $url->host_port() =~ m/:|^[\d.]+$/s ? undef : $url->host();
        $sock = LWP::Protocol::https::Socket->start_SSL( $sock,
            SSL_verifycn_name => $url->host,
-           SSL_hostname => $url->host,
+           SSL_hostname => $host,
            $self->_extra_sock_opts,
        );
        $@ = LWP::Protocol::https::Socket->errstr if ! $sock;

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: Digital Signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-perl-maintainers/attachments/20240128/b4fe45cf/attachment.sig>

More information about the pkg-perl-maintainers mailing list