Debian Bug report logs - #622917
checkgmail: Fails with Error: 500 Can't connect to www.google.com:443 (Crypt-SSLeay can't verify hostnames)

version graph

Package: checkgmail; Maintainer for checkgmail is Sandro Tosi <morph@debian.org>; Source for checkgmail is src:checkgmail.

Reported by: Jakub Lucký <jakub@jakublucky.cz>

Date: Fri, 15 Apr 2011 20:33:02 UTC

Severity: important

Tags: moreinfo, unreproducible

Found in version checkgmail/1.13+svn43-2

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, jakub@jakublucky.cz, Sandro Tosi <morph@debian.org>:
Bug#622917; Package checkgmail. (Fri, 15 Apr 2011 20:33:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jakub Lucký <jakub@jakublucky.cz>:
New Bug report received and forwarded. Copy sent to jakub@jakublucky.cz, Sandro Tosi <morph@debian.org>. (Fri, 15 Apr 2011 20:33:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jakub Lucký <jakub@jakublucky.cz>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Fri, 15 Apr 2011 22:30:12 +0200
Package: checkgmail
Version: 1.13+svn43-2
Severity: important

Checkgmail started to suddenly die with error message "Error: 500 Can't connect
to www.google.com:443 (Crypt-SSLeay can't verify hostnames)". After some time
spent with Google, I found that this problem is due to not installed libio-
socket-ssl-perl. After installing this package checkgmail works as it used to.

Perhaps libio-socket-ssl-perl should be more likely be dependency of libcrypt-
ssleay-perl, but this is more your decision than mine, as I don't know the
inner working of those modules.

Thanks for your time
Jakub Lucký



-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=cs_CZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages checkgmail depends on:
ii  libcrypt-blowfish-perl        2.12-1     Blowfish cryptography for Perl
ii  libcrypt-ssleay-perl          0.57-2+b1  Support for https protocol in LWP
ii  libfreezethaw-perl            0.5001-1   module to serialize and deserializ
ii  libgtk2-perl                  2:1.223-1  Perl interface to the 2.x series o
ii  libgtk2-trayicon-perl         0.06-1     Perl interface to fill the system 
ii  libgtk2.0-0                   2.24.4-3   The GTK+ graphical user interface 
ii  libwww-perl                   6.01-3     simple and consistent interface to
ii  libxml-simple-perl            2.18-3     Perl module for reading and writin
ii  perl [libcompress-zlib-perl]  5.10.1-19  Larry Wall's Practical Extraction 

Versions of packages checkgmail recommends:
ii  libcrypt-simple-perl          0.06-6     Perl library to encrypt stuff simp

checkgmail suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#622917; Package checkgmail. (Wed, 20 Apr 2011 22:00:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sandro Tosi <morph@debian.org>:
Extra info received and forwarded to list. (Wed, 20 Apr 2011 22:00:03 GMT) Full text and rfc822 format available.

Message #10 received at 622917@bugs.debian.org (full text, mbox):

From: Sandro Tosi <morph@debian.org>
To: Jakub Lucký <jakub@jakublucky.cz>, 622917@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Wed, 20 Apr 2011 23:57:22 +0200
reassign 622917 libcrypt-ssleay-perl
affects 622917 checkgmail
thanks

Hi Jakub,

2011/4/15 Jakub Lucký <jakub@jakublucky.cz>:
> Package: checkgmail
> Version: 1.13+svn43-2
> Severity: important
>
> Checkgmail started to suddenly die with error message "Error: 500 Can't connect
> to www.google.com:443 (Crypt-SSLeay can't verify hostnames)". After some time
> spent with Google, I found that this problem is due to not installed libio-
> socket-ssl-perl. After installing this package checkgmail works as it used to.
>
> Perhaps libio-socket-ssl-perl should be more likely be dependency of libcrypt-
> ssleay-perl, but this is more your decision than mine, as I don't know the
> inner working of those modules.

We are just using Crypt::SSLeay:

$ grep -w use checkgmail  | grep -i ssl
	use Crypt::SSLeay;

so if this library needs libio-socket-ssl-perl it's its responsibility
to add it, hence reassigning.

Regards,
-- 
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi




Bug reassigned from package 'checkgmail' to 'libcrypt-ssleay-perl'. Request was from Sandro Tosi <morph@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2011 22:00:04 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions checkgmail/1.13+svn43-2. Request was from Sandro Tosi <morph@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2011 22:00:05 GMT) Full text and rfc822 format available.

Added indication that 622917 affects checkgmail Request was from Sandro Tosi <morph@debian.org> to control@bugs.debian.org. (Wed, 20 Apr 2011 22:00:06 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Noèl Köthe <noel@debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Mon, 02 Jan 2012 23:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to gregor herrmann <gregoa@debian.org>:
Extra info received and forwarded to list. Copy sent to Noèl Köthe <noel@debian.org>. (Mon, 02 Jan 2012 23:33:03 GMT) Full text and rfc822 format available.

Message #21 received at 622917@bugs.debian.org (full text, mbox):

From: gregor herrmann <gregoa@debian.org>
To: Sandro Tosi <morph@debian.org>, 622917@bugs.debian.org
Cc: Jakub Lucký <jakub@jakublucky.cz>, debian-perl@lists.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Tue, 3 Jan 2012 00:32:21 +0100
[Message part 1 (text/plain, inline)]
On Wed, 20 Apr 2011 23:57:22 +0200, Sandro Tosi wrote:

(New maintainer here :))

> > Checkgmail started to suddenly die with error message "Error: 500 Can't connect
> > to www.google.com:443 (Crypt-SSLeay can't verify hostnames)". After some time
> > spent with Google, I found that this problem is due to not installed libio-
> > socket-ssl-perl. After installing this package checkgmail works as it used to.
> >
> > Perhaps libio-socket-ssl-perl should be more likely be dependency of libcrypt-
> > ssleay-perl, but this is more your decision than mine, as I don't know the
> > inner working of those modules.
> 
> We are just using Crypt::SSLeay:
> 
> $ grep -w use checkgmail  | grep -i ssl
> 	use Crypt::SSLeay;
> 
> so if this library needs libio-socket-ssl-perl it's its responsibility
> to add it, hence reassigning.

Interesting. Crypt::SSLeay doesn't use IO::Socket::SSL; the nearest I
get is IO::Socket::INET in Net::SSL.

(And checkgmail indeed doesn't use any IO::Socket::* anywhere.)

Since libio-socket-ssl-perl depends on libcrypt-ssleay-perl, I'm not
going to introduce a circular dependency now. But we should find out
what's going on there ...


Cheers,
gregor
 
-- 
 .''`.   Homepage: http://info.comodo.priv.at/ - OpenPGP key ID: 0x8649AA06
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Mon, 30 Jul 2012 14:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Mon, 30 Jul 2012 14:09:03 GMT) Full text and rfc822 format available.

Message #26 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Sandro Tosi <morph@debian.org>, 622917@bugs.debian.org, Jakub Lucký <jakub@jakublucky.cz>, debian-perl@lists.debian.org, gregoa@debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Mon, 30 Jul 2012 16:04:10 +0200
[Message part 1 (text/plain, inline)]
Control: retitle -1 libcrypt-ssleay-perl: Missing dependency on liblwp-protocol-https-perl
Control: forwarded -1 https://rt.cpan.org/Public/Bug/Display.html?id=73754

Hi

On Tue, Jan 03, 2012 at 12:32:21AM +0100, gregor herrmann wrote:
> On Wed, 20 Apr 2011 23:57:22 +0200, Sandro Tosi wrote:
> 
> (New maintainer here :))
> 
> > > Checkgmail started to suddenly die with error message "Error: 500 Can't connect
> > > to www.google.com:443 (Crypt-SSLeay can't verify hostnames)". After some time
> > > spent with Google, I found that this problem is due to not installed libio-
> > > socket-ssl-perl. After installing this package checkgmail works as it used to.
> > >
> > > Perhaps libio-socket-ssl-perl should be more likely be dependency of libcrypt-
> > > ssleay-perl, but this is more your decision than mine, as I don't know the
> > > inner working of those modules.
> > 
> > We are just using Crypt::SSLeay:
> > 
> > $ grep -w use checkgmail  | grep -i ssl
> > 	use Crypt::SSLeay;
> > 
> > so if this library needs libio-socket-ssl-perl it's its responsibility
> > to add it, hence reassigning.
> 
> Interesting. Crypt::SSLeay doesn't use IO::Socket::SSL; the nearest I
> get is IO::Socket::INET in Net::SSL.
> 
> (And checkgmail indeed doesn't use any IO::Socket::* anywhere.)
> 
> Since libio-socket-ssl-perl depends on libcrypt-ssleay-perl, I'm not
> going to introduce a circular dependency now. But we should find out
> what's going on there ...

It seems this was reported upstream as [1].

 [1]: https://rt.cpan.org/Public/Bug/Display.html?id=73754

libio-socket-ssl-perl depends on libnet-ssleay-perl AFAICS, so adding
a dependency for libcrypt-ssleay-perl on liblwp-protocol-https-perl
should be fine.

But I will doublecheck this, and then we can maybe upload the package
with only the dependency added. (and ask for an unblock). 

(please do not upload libcrypt-ssleay-perl 0.60 yet)

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to 'libcrypt-ssleay-perl: Missing dependency on liblwp-protocol-https-perl' from 'checkgmail: Missing dependency on libio-socket-ssl-perl' Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Mon, 30 Jul 2012 14:09:03 GMT) Full text and rfc822 format available.

Set Bug forwarded-to-address to 'https://rt.cpan.org/Public/Bug/Display.html?id=73754'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Mon, 30 Jul 2012 14:09:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Mon, 30 Jul 2012 15:33:09 GMT) Full text and rfc822 format available.

Message #33 received at 622917@bugs.debian.org (full text, mbox):

From: pkg-perl-maintainers@lists.alioth.debian.org
To: 622917@bugs.debian.org, 622917-submitter@bugs.debian.org
Subject: Pending fixes for bugs in the libcrypt-ssleay-perl package
Date: Mon, 30 Jul 2012 15:19:57 +0000
tag 622917 + pending
thanks

Some bugs in the libcrypt-ssleay-perl package are closed in revision
ec1a5ca82bba81295d6042b3b1c6658753a7120b in branch 'master' by
Salvatore Bonaccorso

The full diff can be seen at
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libcrypt-ssleay-perl.git;a=commitdiff;h=ec1a5ca

Commit message:

    Add (build-)dependency for LWP::Protocol::https
    
    Add missing (Build-)Depends(-Indep) on liblwp-protocol-https-perl.
    
    See https://rt.cpan.org/Public/Bug/Display.html?id=73754
    
    Closes: #622917




Added tag(s) pending. Request was from pkg-perl-maintainers@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 30 Jul 2012 15:33:15 GMT) Full text and rfc822 format available.

Message sent on to Jakub Lucký <jakub@jakublucky.cz>:
Bug#622917. (Mon, 30 Jul 2012 15:33:20 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Mon, 30 Jul 2012 21:42:03 GMT) Full text and rfc822 format available.

Message #41 received at 622917@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Mon, 30 Jul 2012 23:39:30 +0200
* Salvatore Bonaccorso <carnil@debian.org>, 2012-07-30, 16:04:
>>Since libio-socket-ssl-perl depends on libcrypt-ssleay-perl, I'm not 
>>going to introduce a circular dependency now. But we should find out 
>>what's going on there ...

Given that both libio-socket-ssl-perl and libcrypt-ssleay-perl provide 
independent SSL socket implementations, dependency in either way sounds 
like a bug to me.

Also, I'm afraid that installing libio-socket-ssl-perl fixes 
checkgmail's problem only because LWP prefers IO::Socket::SSL over 
Net::SSL (i.e.: libcrypt-ssleay-perl is not used at all).

To check this, export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL and 
notice that the problem reappears.

>libio-socket-ssl-perl depends on libnet-ssleay-perl AFAICS, so adding a 
>dependency for libcrypt-ssleay-perl on liblwp-protocol-https-perl 
>should be fine.

That still introduces a circular dependency:

libcrypt-ssleay-perl -> liblwp-protocol-https-perl -> 
libio-socket-ssl-perl -> libnet-ssleay-perl

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Tue, 31 Jul 2012 06:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 31 Jul 2012 06:42:03 GMT) Full text and rfc822 format available.

Message #46 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Tue, 31 Jul 2012 08:38:47 +0200
[Message part 1 (text/plain, inline)]
Hi Jakub

Many thanks for reviewing this, is really apreciated!

On Mon, Jul 30, 2012 at 11:39:30PM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <carnil@debian.org>, 2012-07-30, 16:04:
> >>Since libio-socket-ssl-perl depends on libcrypt-ssleay-perl, I'm
> >>not going to introduce a circular dependency now. But we should
> >>find out what's going on there ...
> 
> Given that both libio-socket-ssl-perl and libcrypt-ssleay-perl
> provide independent SSL socket implementations, dependency in either
> way sounds like a bug to me.
> 
> Also, I'm afraid that installing libio-socket-ssl-perl fixes
> checkgmail's problem only because LWP prefers IO::Socket::SSL over
> Net::SSL (i.e.: libcrypt-ssleay-perl is not used at all).
> 
> To check this, export PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL and
> notice that the problem reappears.

Hmm, I think you are right here. I don't know the exact history behind
the package liblwp-protocol-https-perl in the Debian Perl group, but
we have explicitly the Depends on:

libio-socket-ssl-perl (>= 1.54), libnet-http-perl

which forces for Net::HTTPS the preference on IO::Socket::SSL, this is
true.

> >libio-socket-ssl-perl depends on libnet-ssleay-perl AFAICS, so
> >adding a dependency for libcrypt-ssleay-perl on
> >liblwp-protocol-https-perl should be fine.
> 
> That still introduces a circular dependency:
> 
> libcrypt-ssleay-perl -> liblwp-protocol-https-perl ->
> libio-socket-ssl-perl -> libnet-ssleay-perl

Could you help me here? I don't get it yet. libcrypt-ssleay-perl and
libnet-ssleay-perl are from two different source packages.

Thanks and regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Tue, 31 Jul 2012 08:30:03 GMT) Full text and rfc822 format available.

Message #49 received at 622917@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Tue, 31 Jul 2012 10:28:16 +0200
* Salvatore Bonaccorso <carnil@debian.org>, 2012-07-31, 08:38:
>>libcrypt-ssleay-perl -> liblwp-protocol-https-perl -> 
>>libio-socket-ssl-perl -> libnet-ssleay-perl
>
>Could you help me here? I don't get it yet. libcrypt-ssleay-perl and 
>libnet-ssleay-perl are from two different source packages.

Bah, you're right. I can't read. :)

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Tue, 31 Jul 2012 23:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Tue, 31 Jul 2012 23:24:03 GMT) Full text and rfc822 format available.

Message #54 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Wed, 1 Aug 2012 01:21:47 +0200
[Message part 1 (text/plain, inline)]
Hey Jakub

On Tue, Jul 31, 2012 at 10:28:16AM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <carnil@debian.org>, 2012-07-31, 08:38:
> >>libcrypt-ssleay-perl -> liblwp-protocol-https-perl ->
> >>libio-socket-ssl-perl -> libnet-ssleay-perl
> >
> >Could you help me here? I don't get it yet. libcrypt-ssleay-perl
> >and libnet-ssleay-perl are from two different source packages.
> 
> Bah, you're right. I can't read. :)

Okay thanks. I was not sure if I miss something else :)

I had a bit a look at the issue you mentioned:

The manpage for Crypt::SSLeay has:

       The "Crypt::SSLeay" package provides "Net::SSL", which is loaded by "LWP::Protocol::https" for https
       requests and provides the necessary SSL glue.

But: we had the missing the dependency for LWP::Protocol::https until
0.58-1. The above seems not clear.

Looking at the dependencies for liblwp-protocol-https-perl I see there
is libnet-http-perl in the Depends. In Net::HTTPS then the following:

----cut---------cut---------cut---------cut---------cut---------cut-----
 52 sub http_connect {
 53     my($self, $cnf) = @_;
 54     if ($self->isa("Net::SSL")) {
 55     if ($cnf->{SSL_verify_mode}) {
 56         if (my $f = $cnf->{SSL_ca_file}) {
 57         $ENV{HTTPS_CA_FILE} = $f;
 58         }
 59         if (my $f = $cnf->{SSL_ca_path}) {
 60         $ENV{HTTPS_CA_DIR} = $f;
 61         }
 62     }
 63     if ($cnf->{SSL_verifycn_scheme}) {
 64         $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment     variable to 0";
 65         return undef;
 66     }
 67     }
 68     $self->SUPER::configure($cnf);
 69 }
----cut---------cut---------cut---------cut---------cut---------cut-----

Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
Furthermore Net::HTTPS itself prefers IO::Socket::SSL over Net::SSL if
it is available.

At this point now I'm confused and I'm thinking libcrypt-ssleay-perl
does not need the dependency on liblwp-protocol-https-perl.

checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
turn depends on libnet-http-perl. libnet-http-perl has according the
above a *Recommends* on libio-socket-ssl-perl to have hostname
verification working. Btw, this was added in [1].

 [1]: http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libnet-http-perl.git;a=commitdiff;h=8231ef0cf6eb3c14fe55f9323077f31abf95c904

Looking at it seems okay to me to have libio-socket-ssl-perl in
Recommends for libnet-http-perl (and not Depends) at first glance.

checkgmail now uses libwww-perl which has verify_hostname set to 1 by
default:

----cut---------cut---------cut---------cut---------cut---------cut-----
=item PERL_LWP_SSL_VERIFY_HOSTNAME                                                                                                                                                  

The default C<verify_hostname> setting for C<LWP::UserAgent>.  If
not set the default will be 1.  Set it as 0 to disable hostname
verification (the default prior to libwww-perl 5.840.
----cut---------cut---------cut---------cut---------cut---------cut-----

... and this reminds me now[2].

 [2]: http://bugs.debian.org/669126

Furthermore I suspect the original bugreporter had installed
checkgmail without installing Recommends, is this correct? Furthermore
indeed reporter had libwww-perl 6.01-3 installed, so one which has set
the verify_hostname by default).

As the above is a bit confusing I try to summarize:

 1/ Adding liblwp-protocol-https-perl dependencies to
    libcrypt-ssleay-perl seems wrong.

 2/ libnet-http-perl recommends libio-socket-ssl-perl which is correct,
    as it supports both Net::SSL as IO::Socket::SSL, but if you want
    hostname verification you need IO::Socket::SSL.

 3/ libwww-perl (>= 6.01-1) sets the verify_hostname by default.

 4/ checkgmail uses implicity libwww-perl (which has verify_hostname
    set by default). But if checkgmail is now installed on a system
    which does not install recommends there is a discrepancy as
    libwww-perl set's the verification, but libnet-http-perl will not
    install libio-socket-ssl-perl.

This is what I have so far. Any comments from others?

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Wed, 01 Aug 2012 07:36:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Wed, 01 Aug 2012 07:36:08 GMT) Full text and rfc822 format available.

Message #59 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Wed, 1 Aug 2012 09:27:23 +0200
[Message part 1 (text/plain, inline)]
> As the above is a bit confusing I try to summarize:
>
>  1/ Adding liblwp-protocol-https-perl dependencies to
>     libcrypt-ssleay-perl seems wrong.

Sorry. This indeed schould be correct. There should be the dependency on
liblwp-protocol-https-perl

Regards
Salvatore
[Message part 2 (text/html, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Wed, 01 Aug 2012 08:45:03 GMT) Full text and rfc822 format available.

Message #62 received at 622917@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 622917@bugs.debian.org
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Wed, 1 Aug 2012 10:43:08 +0200
* Salvatore Bonaccorso <carnil@debian.org>, 2012-08-01, 01:21:
>----cut---------cut---------cut---------cut---------cut---------cut-----
> 52 sub http_connect {
> 53     my($self, $cnf) = @_;
> 54     if ($self->isa("Net::SSL")) {
> 55     if ($cnf->{SSL_verify_mode}) {
> 56         if (my $f = $cnf->{SSL_ca_file}) {
> 57         $ENV{HTTPS_CA_FILE} = $f;
> 58         }
> 59         if (my $f = $cnf->{SSL_ca_path}) {
> 60         $ENV{HTTPS_CA_DIR} = $f;
> 61         }
> 62     }
> 63     if ($cnf->{SSL_verifycn_scheme}) {
> 64         $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment     variable to 0";
> 65         return undef;
> 66     }
> 67     }
> 68     $self->SUPER::configure($cnf);
> 69 }
>----cut---------cut---------cut---------cut---------cut---------cut-----
>
>Which suggests: If you need to verify hostnames, use IO::Socket::SSL.

Correct. It's been always like that with Crypt::SSLeay: if you wanted to 
verify certificates you had to jump through many un(der)documented hops. 
Recently LWP added an extra one...

>Furthermore Net::HTTPS itself prefers IO::Socket::SSL over Net::SSL if 
>it is available.

Right. And that one if straight-forward to use. Ideally, applications 
should stop using Crypt::SSLeay wherever possible.

>At this point now I'm confused and I'm thinking libcrypt-ssleay-perl 
>does not need the dependency on liblwp-protocol-https-perl.

Yeah, it's not Crypt::SSLeay using LWP::Protocol::https, but the other 
way round. Also, I can image that you could you Crypt::SSLeay without 
LWP at all.

>checkgmail Depends on libwww-perl for LWP::UserAgent, which on his turn 
>depends on libnet-http-perl.

It's simpler than that. The Depends chain currently (both in wheezy and 
unstable) is:

checkgmail -> libwww-perl -> liblwp-protocol-https-perl -> libio-socket-ssl-perl

Which makes me wonder how the submitter managed to trigger the bug in 
the first place...

-- 
Jakub Wilk



Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Thu, 02 Aug 2012 14:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Thu, 02 Aug 2012 14:57:03 GMT) Full text and rfc822 format available.

Message #67 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622917@bugs.debian.org
Cc: 683334@bugs.debian.org, Philipp Kern <pkern@debian.org>
Subject: Re: Bug#622917: checkgmail: Missing dependency on libio-socket-ssl-perl
Date: Thu, 2 Aug 2012 16:54:16 +0200
[Message part 1 (text/plain, inline)]
Hi Jakub

(I'm Cc'ing the bugreport for the release-team and Philipp Kern
directly)

Thanks a lot for helping bringing some light into this issue!

I convinced now, that adding liblwp-protocol-https-perl to
(build-)dependencies for libcrypt-ssleay-perl should not be needed[1]
(we can close the request to the release team, AFAICS), and is not the
cause of this checkmail Problem.

 [1] Even if this is done upstream for Crypt::SSLeay 0.60, which has
     other reasons it is done, namely[2]:

 [2]: http://search.cpan.org/diff?from=Crypt-SSLeay-0.58&to=Crypt-SSLeay-0.59_02&w=1

On Wed, Aug 01, 2012 at 10:43:08AM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <carnil@debian.org>, 2012-08-01, 01:21:
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >52 sub http_connect {
> >53     my($self, $cnf) = @_;
> >54     if ($self->isa("Net::SSL")) {
> >55     if ($cnf->{SSL_verify_mode}) {
> >56         if (my $f = $cnf->{SSL_ca_file}) {
> >57         $ENV{HTTPS_CA_FILE} = $f;
> >58         }
> >59         if (my $f = $cnf->{SSL_ca_path}) {
> >60         $ENV{HTTPS_CA_DIR} = $f;
> >61         }
> >62     }
> >63     if ($cnf->{SSL_verifycn_scheme}) {
> >64         $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment     variable to 0";
> >65         return undef;
> >66     }
> >67     }
> >68     $self->SUPER::configure($cnf);
> >69 }
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >
> >Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
> 
> Correct. It's been always like that with Crypt::SSLeay: if you
> wanted to verify certificates you had to jump through many
> un(der)documented hops. Recently LWP added an extra one...
> 
> >Furthermore Net::HTTPS itself prefers IO::Socket::SSL over
> >Net::SSL if it is available.
> 
> Right. And that one if straight-forward to use. Ideally,
> applications should stop using Crypt::SSLeay wherever possible.

Yes right.

> >checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
> >turn depends on libnet-http-perl.
> 
> It's simpler than that. The Depends chain currently (both in wheezy
> and unstable) is:
> 
> checkgmail -> libwww-perl -> liblwp-protocol-https-perl -> libio-socket-ssl-perl
> 
> Which makes me wonder how the submitter managed to trigger the bug
> in the first place...

Yes this is strange. Wonder if PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
was set in the environment before starting checkgmail? I haven't found
another possiblity (yet) to force this error elsewise in a VM installing
checkgmail.

It doesen't work elsewise to try to reproduce the user reported
problem, as you pointed out removing libio-socket-ssl-perl will remove
checkgmail too.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>:
Bug#622917; Package libcrypt-ssleay-perl. (Sat, 04 Aug 2012 16:18:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>. (Sat, 04 Aug 2012 16:18:03 GMT) Full text and rfc822 format available.

Message #72 received at 622917@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 622917@bugs.debian.org
Subject: checkgmail: Fails with "Error: 500 Can't connect to www.google.com:443 (Crypt-SSLeay can't verify hostnames)"
Date: Sat, 4 Aug 2012 18:14:32 +0200
[Message part 1 (text/plain, inline)]
Control: tags -1 +  unreproducible moreinfo
Control: rename -1 checkgmail: Fails with "Error: 500 Can't connect to www.google.com:443 (Crypt-SSLeay can't verify hostnames)"
Control: reassign -1 checkgmail
Control: found -1 1.13+svn43-2
Control: notforwarded -1

Hi Sandro

After some time giving back to checkgmail. See the whole arguing with
Jakub Wilk, in particular the last part then. The dependency chain of
checkgmail forces libio-socket-ssl-perl installation, so it is unclear
how reporter managed to trigger that.

On Thu, Aug 02, 2012 at 04:54:16PM +0200, Salvatore Bonaccorso wrote:
> > >checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
> > >turn depends on libnet-http-perl.
> > 
> > It's simpler than that. The Depends chain currently (both in wheezy
> > and unstable) is:
> > 
> > checkgmail -> libwww-perl -> liblwp-protocol-https-perl -> libio-socket-ssl-perl
> > 
> > Which makes me wonder how the submitter managed to trigger the bug
> > in the first place...
> 
> Yes this is strange. Wonder if PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
> was set in the environment before starting checkgmail? I haven't found
> another possiblity (yet) to force this error elsewise in a VM installing
> checkgmail.
> 
> It doesen't work elsewise to try to reproduce the user reported
> problem, as you pointed out removing libio-socket-ssl-perl will remove
> checkgmail too.

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Added tag(s) unreproducible and moreinfo. Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Sat, 04 Aug 2012 16:18:03 GMT) Full text and rfc822 format available.

Bug reassigned from package 'libcrypt-ssleay-perl' to 'checkgmail'. Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Sat, 04 Aug 2012 16:18:04 GMT) Full text and rfc822 format available.

Marked as found in versions checkgmail/1.13+svn43-2. Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Sat, 04 Aug 2012 16:18:04 GMT) Full text and rfc822 format available.

Unset Bug forwarded-to-address Request was from Salvatore Bonaccorso <carnil@debian.org> to 622917-submit@bugs.debian.org. (Sat, 04 Aug 2012 16:18:05 GMT) Full text and rfc822 format available.

Changed Bug title to 'checkgmail: Fails with Error: 500 Can't connect to www.google.com:443 (Crypt-SSLeay can't verify hostnames)' from 'libcrypt-ssleay-perl: Missing dependency on liblwp-protocol-https-perl' Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 04 Aug 2012 16:30:05 GMT) Full text and rfc822 format available.

Removed tag(s) pending. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Sat, 04 Aug 2012 21:09:03 GMT) Full text and rfc822 format available.

Changed Bug submitter to 'Jakub Lucký <jakub@jakublucky.cz>' from 'Jakub Lucký <jakub@jakublucky.cz>' Request was from Don Armstrong <don@debian.org> to control@bugs.debian.org. (Thu, 21 Mar 2013 21:28:20 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 11:49:00 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.