Debian Bug report logs - #761635
liblwpx-paranoidagent-perl: does not pass the right combination of parameters to IO::Socket::SSL for SNI

version graph

Package: liblwpx-paranoidagent-perl; Maintainer for liblwpx-paranoidagent-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for liblwpx-paranoidagent-perl is src:liblwpx-paranoidagent-perl (PTS, buildd, popcon).

Reported by: Simon McVittie <smcv@debian.org>

Date: Mon, 15 Sep 2014 09:27:01 UTC

Severity: grave

Tags: patch, upstream

Found in version liblwpx-paranoidagent-perl/1.10-4

Fixed in version liblwpx-paranoidagent-perl/1.10-5

Done: Hilko Bengen <bengen@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/csirtgadgets/LWPx-ParanoidAgent/issues/14

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#761635; Package liblwpx-paranoidagent-perl. (Mon, 15 Sep 2014 09:27:06 GMT) (full text, mbox, link).

Acknowledgement sent to Simon McVittie <smcv@debian.org>:
New Bug report received and forwarded. Copy sent to Hilko Bengen <bengen@debian.org>. (Mon, 15 Sep 2014 09:27:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: liblwpx-paranoidagent-perl: does not pass the right combination of parameters to IO::Socket::SSL for SNI
Date: Mon, 15 Sep 2014 10:25:02 +0100
Package: liblwpx-paranoidagent-perl
Version: 1.10-4
Severity: normal
Tags: patch upstream

IkiWiki user 'Chap' reported on
<http://ikiwiki.info/plugins/openid/troubleshooting/> that LWPx::Protocol
does not work with https servers that rely on SNI, because
IO::Socket::SSL ignores the PeerHost parameter if PeerAddr is also specified:

https://github.com/noxxi/p5-io-socket-ssl/commit/4f83a3cd85458bd2141f0a9f22f787174d51d587#diff-1

and suggested this patch:

--- LWPx/Protocol/http_paranoid.pm    2014-09-08 03:33:00.000000000 -0400
+++ LWPx/Protocol/http_paranoid.pm    2014-09-08 03:33:27.000000000 -0400
@@ -73,6 +73,7 @@
        close($el);
         $sock = $self->socket_class->new(PeerAddr => $addr,
                                          PeerHost => $host,
+                                         SSL_hostname => $host,
                                          PeerPort => $port,
                                          Proto    => 'tcp',
                                          Timeout  => $conn_timeout,

Please consider applying that change and/or forwarding it upstream.

Thanks,
    S

Set Bug forwarded-to-address to 'https://github.com/csirtgadgets/LWPx-ParanoidAgent/issues/14'. Request was from Simon McVittie <smcv@debian.org> to control@bugs.debian.org. (Thu, 18 Sep 2014 07:51:09 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Hilko Bengen <bengen@debian.org>:
Bug#761635; Package liblwpx-paranoidagent-perl. (Tue, 18 Nov 2014 06:21:19 GMT) (full text, mbox, link).

Acknowledgement sent to Antoine Beaupré <anarcat@debian.org>:
Extra info received and forwarded to list. Copy sent to Hilko Bengen <bengen@debian.org>. (Tue, 18 Nov 2014 06:21:19 GMT) (full text, mbox, link).

Message #12 received at 761635@bugs.debian.org (full text, mbox, reply):

From: Antoine Beaupré <anarcat@debian.org>
To: Debian Bug Tracking System <761635@bugs.debian.org>
Subject: Re: liblwpx-paranoidagent-perl: does not pass the right combination of parameters to IO::Socket::SSL for SNI
Date: Tue, 18 Nov 2014 01:20:31 -0500
Package: liblwpx-paranoidagent-perl
Version: 1.10-4
Followup-For: Bug #761635
Control: severity -1 grave

This package is still broken for me. This one-line patch fixes the
problem, and I believe it should be shipped with Jessie. It would be a
shame for Perl in Debian to join this wall of shame:

https://en.wikipedia.org/wiki/Server_Name_Indication#No_support

... especially since I believe it would be a regression from
wheezy. SNI has been a IETF standard since 2003 and in Apache since
2009.

I'd be glad to make a NMU to publish this and ask for an unblock
request for the RT.

I tested the patch and it works flawlessly.

Thanks!

A.

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (1, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages liblwpx-paranoidagent-perl depends on:
ii  ca-certificates       20141019
ii  libcrypt-ssleay-perl  0.58-1+b2
ii  libnet-dns-perl       0.80.2-2
ii  libwww-perl           6.08-1
ii  perl                  5.20.1-2

liblwpx-paranoidagent-perl recommends no packages.

liblwpx-paranoidagent-perl suggests no packages.

-- no debconf information

-- debsums errors found:
debsums: changed file /usr/share/perl5/LWPx/Protocol/http_paranoid.pm (from liblwpx-paranoidagent-perl package)

Severity set to 'grave' from 'normal' Request was from Antoine Beaupré <anarcat@debian.org> to 761635-submit@bugs.debian.org. (Tue, 18 Nov 2014 06:21:19 GMT) (full text, mbox, link).

Reply sent to Hilko Bengen <bengen@debian.org>:
You have taken responsibility. (Tue, 18 Nov 2014 22:09:25 GMT) (full text, mbox, link).

Notification sent to Simon McVittie <smcv@debian.org>:
Bug acknowledged by developer. (Tue, 18 Nov 2014 22:09:25 GMT) (full text, mbox, link).

Message #19 received at 761635-close@bugs.debian.org (full text, mbox, reply):

From: Hilko Bengen <bengen@debian.org>
To: 761635-close@bugs.debian.org
Subject: Bug#761635: fixed in liblwpx-paranoidagent-perl 1.10-5
Date: Tue, 18 Nov 2014 22:04:22 +0000
Source: liblwpx-paranoidagent-perl
Source-Version: 1.10-5

We believe that the bug you reported is fixed in the latest version of
liblwpx-paranoidagent-perl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 761635@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hilko Bengen <bengen@debian.org> (supplier of updated liblwpx-paranoidagent-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 18 Nov 2014 22:22:17 +0100
Source: liblwpx-paranoidagent-perl
Binary: liblwpx-paranoidagent-perl
Architecture: source all
Version: 1.10-5
Distribution: unstable
Urgency: medium
Maintainer: Hilko Bengen <bengen@debian.org>
Changed-By: Hilko Bengen <bengen@debian.org>
Description:
 liblwpx-paranoidagent-perl - a "paranoid" subclass of LWP::UserAgent
Closes: 761635
Changes:
 liblwpx-paranoidagent-perl (1.10-5) unstable; urgency=medium
 .
   * Added patch for passing the right parameters through IO::Socket::SSL
     (Closes: #761635)
Checksums-Sha1:
 53238b356127ec988dad28cffb3bbf3bb8a691d8 1267 liblwpx-paranoidagent-perl_1.10-5.dsc
 abdc456af93751755899ddeb64e736f2c3fd2233 3520 liblwpx-paranoidagent-perl_1.10-5.debian.tar.xz
 3ad3204686ef60a79f73e10c208fb575ef727999 18272 liblwpx-paranoidagent-perl_1.10-5_all.deb
Checksums-Sha256:
 a4df07b4c4df03875b8e863d36b4f951d9dd4c46e5b4fd21de1e7614dcc89a81 1267 liblwpx-paranoidagent-perl_1.10-5.dsc
 4b34310dfd56c4ed6bd724306c016eba75d0567b8c17e882543db4ee5afb1c9c 3520 liblwpx-paranoidagent-perl_1.10-5.debian.tar.xz
 91ce3316cdd8804d69d640e92c5033c5dc5bda880c90ce672288fefb13268821 18272 liblwpx-paranoidagent-perl_1.10-5_all.deb
Files:
 0ac38d6714c009821c8f5bb85d217d80 1267 perl optional liblwpx-paranoidagent-perl_1.10-5.dsc
 7e8c3c24ea2609079577f80f2b6cfb5f 3520 perl optional liblwpx-paranoidagent-perl_1.10-5.debian.tar.xz
 cc71f1eed2d198644f43229cf006e097 18272 perl optional liblwpx-paranoidagent-perl_1.10-5_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlRrvzcACgkQUCgnLz/SlGhY/QCglaiUg4fZFTvdmcOtS76yQj/C
SzMAoJY1UyKVDGNHNGVzUuFHRDnI1AEJ
=jn38
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 22 Dec 2014 07:28:55 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 22:51:56 2024; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.