Hey Jakub On Tue, Jul 31, 2012 at 10:28:16AM +0200, Jakub Wilk wrote: > * Salvatore Bonaccorso <car...@debian.org>, 2012-07-31, 08:38: > >>libcrypt-ssleay-perl -> liblwp-protocol-https-perl -> > >>libio-socket-ssl-perl -> libnet-ssleay-perl > > > >Could you help me here? I don't get it yet. libcrypt-ssleay-perl > >and libnet-ssleay-perl are from two different source packages. > > Bah, you're right. I can't read. :)
Okay thanks. I was not sure if I miss something else :)
I had a bit a look at the issue you mentioned:
The manpage for Crypt::SSLeay has:
The "Crypt::SSLeay" package provides "Net::SSL", which is loaded by
"LWP::Protocol::https" for https
requests and provides the necessary SSL glue.
But: we had the missing the dependency for LWP::Protocol::https until
0.58-1. The above seems not clear.
Looking at the dependencies for liblwp-protocol-https-perl I see there
is libnet-http-perl in the Depends. In Net::HTTPS then the following:
----cut---------cut---------cut---------cut---------cut---------cut-----
52 sub http_connect {
53 my($self, $cnf) = @_;
54 if ($self->isa("Net::SSL")) {
55 if ($cnf->{SSL_verify_mode}) {
56 if (my $f = $cnf->{SSL_ca_file}) {
57 $ENV{HTTPS_CA_FILE} = $f;
58 }
59 if (my $f = $cnf->{SSL_ca_path}) {
60 $ENV{HTTPS_CA_DIR} = $f;
61 }
62 }
63 if ($cnf->{SSL_verifycn_scheme}) {
64 $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
install IO::Socket::SSL or turn off verification by setting the
PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
65 return undef;
66 }
67 }
68 $self->SUPER::configure($cnf);
69 }
----cut---------cut---------cut---------cut---------cut---------cut-----
Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
Furthermore Net::HTTPS itself prefers IO::Socket::SSL over Net::SSL if
it is available.
At this point now I'm confused and I'm thinking libcrypt-ssleay-perl
does not need the dependency on liblwp-protocol-https-perl.
checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
turn depends on libnet-http-perl. libnet-http-perl has according the
above a *Recommends* on libio-socket-ssl-perl to have hostname
verification working. Btw, this was added in [1].
[1]:
http://anonscm.debian.org/gitweb/?p=pkg-perl/packages/libnet-http-perl.git;a=commitdiff;h=8231ef0cf6eb3c14fe55f9323077f31abf95c904
Looking at it seems okay to me to have libio-socket-ssl-perl in
Recommends for libnet-http-perl (and not Depends) at first glance.
checkgmail now uses libwww-perl which has verify_hostname set to 1 by
default:
----cut---------cut---------cut---------cut---------cut---------cut-----
=item PERL_LWP_SSL_VERIFY_HOSTNAME
The default C<verify_hostname> setting for C<LWP::UserAgent>. If
not set the default will be 1. Set it as 0 to disable hostname
verification (the default prior to libwww-perl 5.840.
----cut---------cut---------cut---------cut---------cut---------cut-----
... and this reminds me now[2].
[2]: http://bugs.debian.org/669126
Furthermore I suspect the original bugreporter had installed
checkgmail without installing Recommends, is this correct? Furthermore
indeed reporter had libwww-perl 6.01-3 installed, so one which has set
the verify_hostname by default).
As the above is a bit confusing I try to summarize:
1/ Adding liblwp-protocol-https-perl dependencies to
libcrypt-ssleay-perl seems wrong.
2/ libnet-http-perl recommends libio-socket-ssl-perl which is correct,
as it supports both Net::SSL as IO::Socket::SSL, but if you want
hostname verification you need IO::Socket::SSL.
3/ libwww-perl (>= 6.01-1) sets the verify_hostname by default.
4/ checkgmail uses implicity libwww-perl (which has verify_hostname
set by default). But if checkgmail is now installed on a system
which does not install recommends there is a discrepancy as
libwww-perl set's the verification, but libnet-http-perl will not
install libio-socket-ssl-perl.
This is what I have so far. Any comments from others?
Regards,
Salvatore
signature.asc
Description: Digital signature
