Hi Jakub (I'm Cc'ing the bugreport for the release-team and Philipp Kern directly)
Thanks a lot for helping bringing some light into this issue!
I convinced now, that adding liblwp-protocol-https-perl to
(build-)dependencies for libcrypt-ssleay-perl should not be needed[1]
(we can close the request to the release team, AFAICS), and is not the
cause of this checkmail Problem.
[1] Even if this is done upstream for Crypt::SSLeay 0.60, which has
other reasons it is done, namely[2]:
[2]:
http://search.cpan.org/diff?from=Crypt-SSLeay-0.58&to=Crypt-SSLeay-0.59_02&w=1
On Wed, Aug 01, 2012 at 10:43:08AM +0200, Jakub Wilk wrote:
> * Salvatore Bonaccorso <car...@debian.org>, 2012-08-01, 01:21:
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >52 sub http_connect {
> >53 my($self, $cnf) = @_;
> >54 if ($self->isa("Net::SSL")) {
> >55 if ($cnf->{SSL_verify_mode}) {
> >56 if (my $f = $cnf->{SSL_ca_file}) {
> >57 $ENV{HTTPS_CA_FILE} = $f;
> >58 }
> >59 if (my $f = $cnf->{SSL_ca_path}) {
> >60 $ENV{HTTPS_CA_DIR} = $f;
> >61 }
> >62 }
> >63 if ($cnf->{SSL_verifycn_scheme}) {
> >64 $@ = "Net::SSL from Crypt-SSLeay can't verify hostnames; either
> >install IO::Socket::SSL or turn off verification by setting the
> >PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0";
> >65 return undef;
> >66 }
> >67 }
> >68 $self->SUPER::configure($cnf);
> >69 }
> >----cut---------cut---------cut---------cut---------cut---------cut-----
> >
> >Which suggests: If you need to verify hostnames, use IO::Socket::SSL.
>
> Correct. It's been always like that with Crypt::SSLeay: if you
> wanted to verify certificates you had to jump through many
> un(der)documented hops. Recently LWP added an extra one...
>
> >Furthermore Net::HTTPS itself prefers IO::Socket::SSL over
> >Net::SSL if it is available.
>
> Right. And that one if straight-forward to use. Ideally,
> applications should stop using Crypt::SSLeay wherever possible.
Yes right.
> >checkgmail Depends on libwww-perl for LWP::UserAgent, which on his
> >turn depends on libnet-http-perl.
>
> It's simpler than that. The Depends chain currently (both in wheezy
> and unstable) is:
>
> checkgmail -> libwww-perl -> liblwp-protocol-https-perl ->
> libio-socket-ssl-perl
>
> Which makes me wonder how the submitter managed to trigger the bug
> in the first place...
Yes this is strange. Wonder if PERL_NET_HTTPS_SSL_SOCKET_CLASS=Net::SSL
was set in the environment before starting checkgmail? I haven't found
another possiblity (yet) to force this error elsewise in a VM installing
checkgmail.
It doesen't work elsewise to try to reproduce the user reported
problem, as you pointed out removing libio-socket-ssl-perl will remove
checkgmail too.
Regards,
Salvatore
signature.asc
Description: Digital signature
