Bug#826039: liblwp-protocol-https-perl: Two versions of https.pm (6.06) have different contents and one always checks certificates

Fri Jun 3 13:13:57 UTC 2016

Control: severity -1 normal
Control: tags -1 =

On Wed, Jun 01, 2016 at 08:27:10PM +0100, Adrian Edwards wrote:
> Package: liblwp-protocol-https-perl
> Version: 6.06-2
> Severity: grave
> Tags: newcomer patch
> Justification: renders package unusable

> Trying to use $ENV{PERL_LWP_SSL_VERIFY_HOSTNAME} = 0; within perl script to prevent verification of a self
> signed certificate, the script worked sometimes and not others on different Debian 8 installs. Did a bunch
> of installs of minimal system, added packages and modules (apt-get and CPAN) and the module ALWAYS wanted
> to verify the cert and didn't honour the environment variable to ignore the check.

> After a huge amount of wasted time I discovered there are two version of the protocol module, both have
> the same version number 6.06 but the contents of the files are different.
> 
> 	/usr/local/share/perl/5.20.2/LWP/Protocol/https.pm    Correct/Works
> 	/usr/share/perl5/LWP/Protocol/https.pm    In Error / Always fails the check

Hi, first of all: packages installed with apt get installed in /usr/share
and /usr/lib (vendorlib and vendorarch). Modules installed with the
cpan shell go into /usr/local (sitelib and sitearch) and are first on
the search path, so it's possible to override packaged versions with
newer ones from CPAN if desired.

The difference between the two files on your system is because of patches
in the Debian package. You can find those in the source package under
debian/patches, or on the web at for instance
 https://sources.debian.net/src/liblwp-protocol-https-perl/6.06-2/debian/patches/

It looks like your issue comes from
746579-fix-peer-certificate-verification.patch, which is an intentional
change: PERL_LWP_SSL_VERIFY_HOSTNAME now only affects hostname
verification in the certificate, but doesn't disable certificate checking
completely like in the CPAN version. There's a long related discussion
in https://github.com/libwww-perl/lwp-protocol-https/pull/14 if you're
interested.

Disabling certificate checking completely should still be possible, at
least by explicitly passing both SSL_verify_mode => 0 and verify_hostname
=> 0 to LWP::UserAgent->new() in ssl_opts. PERL_LWP_SSL_VERIFY_HOSTNAME
in the environment can be used for the latter option.

The same version number in the files is unfortunate: the Perl/CPAN
versioning scheme doesn't offer a version suffix or anything like that
for downstream packagers, and we can't really steal upstream version
numbers that might get used there later.

While there's clearly room for documenting things better, this doesn't
make the package unusable in the general case. I'm therefore lowering
the severity of this bug.
-- 
Niko Tyni   ntyni at debian.org