* Salvatore Bonaccorso <car...@debian.org>, 2012-08-01, 01:21:
----cut---------cut---------cut---------cut---------cut---------cut-----
52 sub http_connect {
53 my($self, $cnf) = @_;
54 if ($self->isa("Net::SSL")) {
55 if ($cnf->{SSL_verify_mode}) {
56 if (my $f = $cnf->{SSL_ca_file}) {
57 $ENV{HTTPS_CA_FILE} = $f;
58 }
59 if (my $f = $cnf->{SSL_ca_path}) {
60 $ENV{HTTPS_CA_DIR} = $f;
61 }
62 }
63 if ($cnf->{SSL_verifycn_scheme}) {
64 $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either install
IO::Socket::SSL or turn off verification by setting the PERL_LWP_SSL_VERIFY_HOSTNAME
environment variable to 0";
65 return undef;
66 }
67 }
68 $self->SUPER::configure($cnf);
69 }
----cut---------cut---------cut---------cut---------cut---------cut-----
Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
Correct. It's been always like that with Crypt::SSLeay: if you wanted to
verify certificates you had to jump through many un(der)documented hops.
Recently LWP added an extra one...
Furthermore Net::HTTPS itself prefers IO::Socket::SSL over Net::SSL if
it is available.
Right. And that one if straight-forward to use. Ideally, applications
should stop using Crypt::SSLeay wherever possible.
At this point now I'm confused and I'm thinking libcrypt-ssleay-perl
does not need the dependency on liblwp-protocol-https-perl.
Yeah, it's not Crypt::SSLeay using LWP::Protocol::https, but the other
way round. Also, I can image that you could you Crypt::SSLeay without
LWP at all.
checkgmail Depends on libwww-perl for LWP::UserAgent, which on his turn
depends on libnet-http-perl.
It's simpler than that. The Depends chain currently (both in wheezy and
unstable) is:
checkgmail -> libwww-perl -> liblwp-protocol-https-perl -> libio-socket-ssl-perl
Which makes me wonder how the submitter managed to trigger the bug in
the first place...
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
