Control: tag -1 + unreproducible On Sun, 28 Jan 2024 09:07:00 +0100, Christian Marillat wrote:
> uscan from devscipts package fail to verify certificates afetr upgrading > to liblwp-protocol-https-perl 6.12-1 Thanks for your bug report. > ,---- > | uscan warn: In watchfile debian/watch, reading webpage > | https://qa.debian.org/watch/sf.php/pcre/ failed: 500 SSL upgrade failed: > hostname verification failed > | uscan warn: In watchfile debian/watch, reading webpage > | https://qa.debian.org/watch/sf.php/mjpeg/ failed: 500 SSL upgrade failed: > hostname verification failed > | uscan warn: In watchfile debian/watch, reading webpage > | https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags failed: 500 SSL upgrade > failed: SSL connect attempt failed error:0A000410:SSL routines::sslv3 alert > handshake failure > | uscan warn: In watchfile debian/watch, reading webpage > | https://qa.debian.org/watch/sf.php/synfig/ failed: 500 SSL upgrade > failed: hostname verification failed > `---- I was a bit skeptical that these issues come from liblwp-protocol-https-perl, as the changes between 6.11 and 6.12 are small[0], and the errors sound like different issues: - "hostname verification failed" might be the change in HTTP::Tiny … or no, as that validates SSL certs; the error "hostname verification failed" comes from libio-socket-ssl-perl - "routines::sslv3 alert handshake failure" sounds like an openssl configuration thing Interestingly I can't reproduce the issue which makes diving into the problem a bit hard: % cat qa-sf-watch version=4 https://qa.debian.org/watch/sf.php/pcre/ .*@ANY_VERSION@@ARCHIVE_EXT@ % cat gitlab-watch version=4 https://gitlab.com/AOMediaCodec/SVT-AV1/-/tags .*@ANY_VERSION@@ARCHIVE_EXT@ % for w in qa-sf-watch gitlab-watch; do uscan --report --watchfile $w --package abc --upstream-version 123; done % Does it work for you if you downgrade liblwp-protocol-https-perl to 6.11-1 from testing? If yes, which of the two hunks from [0] is causing the problem? Do the errors from qa.debian.org go away if you run uscan as "PERL_LWP_SSL_VERIFY_HOSTNAME=1 uscan …"? Does anyone else reading along have any ideas? Cheers, gregor [0] diff --git a/lib/LWP/Protocol/https.pm b/lib/LWP/Protocol/https.pm index 16fce19..01a800b 100644 --- a/lib/LWP/Protocol/https.pm +++ b/lib/LWP/Protocol/https.pm @@ -56,7 +56,7 @@ EOT } } $self->{ssl_opts} = \%ssl_opts; - return (%ssl_opts, $self->SUPER::_extra_sock_opts); + return (%ssl_opts, MultiHomed => 1, $self->SUPER::_extra_sock_opts); } # This is a subclass of LWP::Protocol::http. @@ -96,9 +96,12 @@ sub _get_sock_info if ( $Net::HTTPS::SSL_SOCKET_CLASS->can('start_SSL')) { *_upgrade_sock = sub { my ($self,$sock,$url) = @_; + # SNI should be passed there only if it is not an IP address. + # Details: https://github.com/libwww-perl/libwww-perl/issues/449#issuecomment-1896175509 + my $host = $url->host_port() =~ m/:|^[\d.]+$/s ? undef : $url->host(); $sock = LWP::Protocol::https::Socket->start_SSL( $sock, SSL_verifycn_name => $url->host, - SSL_hostname => $url->host, + SSL_hostname => $host, $self->_extra_sock_opts, ); $@ = LWP::Protocol::https::Socket->errstr if ! $sock; -- .''`. https://info.comodo.priv.at -- Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe `-
signature.asc
Description: Digital Signature
