Control: reassign -1 sendxmpp 1.23-1.1 Control: severity -1 important Control: retitle -1 sendxmpp: sendxmpp can't send message with TLS/SSL without passing -tls-ca-path
On Wed, 28 Jun 2017 00:09:12 +0200, Markus Gschwendt wrote:
> > > Maybe I miss something obvious, but IMHO the bug should 1/ be
> > > reassigned to sendxmpp itself. Then the question is if sendxmpp
> > > should
> > > be patches actually (if so it might need to depend on
> > > ca-certificates), or "just" document when
> > > -tls-ca-path="/etc/ssl/certs" needs to be passed.
> If people don't like to use SSL (which i would consider as a bad idea
> these days) they also don't want a dependency on ca-certificates. So it
> should be a 'reccomended package'.
I think that's not really an option, as what we are seeing here, and
that's the start of the bug report, is tjat there are servers which
enforce TLS/SSL.
(But maybe I'm wrong here.)
> > Ack, AFAICS Net::XMPP fixed a bug (ignoring the path to the certs)
> > and this triggered the necessity for sendxmpp to set it (by the user
> > or in the code).
> I'd like to have the default set in Net::XMPP debian package to have it
> available in several applications which use this library.
I don't see a place of/for default values there, and I still think
it's the wrong place.
Net::XMPP::Connection offers a Connect() method (which is used by
sendxmpp [0]) which optionally offers to set some TLS/SSL parameters.
They can also be left out but saying "yes we want TLS/SSL but we
don't tell you were to find the certs", as sendxmpp does, breaks
later in the underlying XML::Stream.
Or in other words: I think sendxmpp is just using
Net::XMPP::Connection wrong.
> Maybe in sendxmpp too.
I'm still sure that it belongs there because it is sendxmpp which
sets tls-ca-path explicitly to an empty value which then causes
havoc.
BTW, in the meantime I think it belongs in line
80 $$cmdline{'tls-ca-path'} || $$config{'tls-ca-path'} ||
'/etc/ssl/certs',
Alternatively, just dropping the empty string seems to work too:
80 $$cmdline{'tls-ca-path'} || $$config{'tls-ca-path'},
Conclusion:
So far we only see problems with sendxmpp; sendxmpp is not broken
(manually setting the parameters works) but is sub-optimal: it would
profit from either setting a default path or not setting an empty
path (!). And the fix is easy as well.
Therefore I'm now reassigning the bug to sendxmpp and lowering the
severity.
Cheers,
gregor
[0]
Arguably a bad idea, as that's an internal module according to its
documentation but anyway.
--
.''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org
: :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06
`. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe
`- NP: Element of Crime: Moonlight
signature.asc
Description: Digital Signature
