Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1029588: bts: Changes in libio-socket-ssl-perl 2.078 make bts fail to send mail to mail-server via SSL/TLS - hostname verification failed
102 views
Skip to first unread message
Daniel Leidert
Jan 24, 2023, 10:00:05 PM1/24/23
to
Package: devscripts
Version: 2.22.2
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I'm running a mail server. The server is using wildcard-certificates issued by
letsencrypt (but the same issue happens with a dedicated certificate). Since
the last update of libio-socket-ssl-perl, whenever I try to send mails via the
bts command, I receive the following error:
bts: failed to open SMTPS connection to smtps://mail.wgdd.de
(hostname verification failed)
Same happens if I use TLS. I checked the certificates and I cannot find any
issues. All other tools work well. If I downgrade libio-socket-ssl-perl to
version 2.077-1, everything works fine. The main change between versions 2.077
and 2.078 in libio-socket-ssl-perl is:
2.078 2022/12/11
- - revert decision from 2014 to not verify hostname by default if hostname is
IP address but no explicit verification scheme given
https://github.com/noxxi/p5-io-socket-ssl/issues/121
I found some hints, that Net::SMTPS, used by bts, does not support
SSL_verifycn_scheme smtp. But this is not my expertise. I'd just like to see
bts fixed and being able to send mail to a mailserver via SSL/TLS.
Issues with SSL support in bts have come up multiple times. I remember, that I
even had to patch some code myself in the past to make it work. There are even
now patches (e.g. #853991), which might improve the situation. But like this,
bts is unusable.
Regards, Daniel
- -- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.92-2+b1
ii netbase 6.4
ii perl 5.36.0-7
Versions of packages libio-socket-ssl-perl recommends:
pn libio-socket-ip-perl | libio-socket-inet6-perl <none>
ii libnet-idn-encode-perl 2.500-3+b1
ii libnet-libidn-perl 0.12.ds-4+b1
ii liburi-perl 5.17-1
ii perl-base [libsocket-perl] 5.36.0-7
Versions of packages libio-socket-ssl-perl suggests:
ii ca-certificates 20211016
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmPQmXwACgkQS80FZ8KW
0F1P+hAA1KcFh8/lqTRkrrL85H0vGbr82KNFvNRLGwqOyzL9N4vLjfIedlt+hzbU
6/YzRznl5dCzTHCwju4BYyZfrpo6NPPtfLjjwPRtajwUnbw3Q9INGACTupkTtwoC
eKCFQM2dpGODERD1zjPN16iBfoGc97pWzE3nCZpxUFZxhKTKw78tpmbr7LMnHx2j
DKXAJgejlmhtYxVLk9YKynLR0x8MoSNlYRB1T7hdoQt0lo5KnbQbEsZjlXSg9AFb
8I/T29YO9n2dA2litq4RMVONtDN9p1YyCsY+fBO8RUnLS6v+Wy+vCEhwBYPm/dQp
DajXqxmWwU94oMF3UT8NuvgGW2OCWOhbrpFaSRRnGctXoTHTzJ/D7qMza5Qakdxh
SdORO9d5LRAwFDti54zx9c62Z42wUn2P7tIIhYJpI/VcqMeVIlPw9lOzb/Xkur2e
lX2ARUbFxFuyP87pn90LNv+GIsNe6lrXfY9GXQ080RZ9lozui1YKk9bGVvLHYOVR
XGEIPSBX9FqosBA8ZQ6FrJiUZ7yC+1Cz0dToHMiGNaDSlS/naxadQCSp3ZHuHl0g
Esxq7MnnKIgzjqLx7PSgGzDNan5mnS+k0c5T6uC+6jL9z2m5czPqGLUVaAFYjwd3
X3+dsBZY34R1qZ1qzzqJutp0nZXO4NiIwSINbXVO8dcdsjTACoE=
=+f0s
-----END PGP SIGNATURE-----
Version: 2.22.2
Severity: important
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
I'm running a mail server. The server is using wildcard-certificates issued by
letsencrypt (but the same issue happens with a dedicated certificate). Since
the last update of libio-socket-ssl-perl, whenever I try to send mails via the
bts command, I receive the following error:
bts: failed to open SMTPS connection to smtps://mail.wgdd.de
(hostname verification failed)
Same happens if I use TLS. I checked the certificates and I cannot find any
issues. All other tools work well. If I downgrade libio-socket-ssl-perl to
version 2.077-1, everything works fine. The main change between versions 2.077
and 2.078 in libio-socket-ssl-perl is:
2.078 2022/12/11
- - revert decision from 2014 to not verify hostname by default if hostname is
IP address but no explicit verification scheme given
https://github.com/noxxi/p5-io-socket-ssl/issues/121
I found some hints, that Net::SMTPS, used by bts, does not support
SSL_verifycn_scheme smtp. But this is not my expertise. I'd just like to see
bts fixed and being able to send mail to a mailserver via SSL/TLS.
Issues with SSL support in bts have come up multiple times. I remember, that I
even had to patch some code myself in the past to make it work. There are even
now patches (e.g. #853991), which might improve the situation. But like this,
bts is unusable.
Regards, Daniel
- -- System Information:
Debian Release: bookworm/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libio-socket-ssl-perl depends on:
ii libnet-ssleay-perl 1.92-2+b1
ii netbase 6.4
ii perl 5.36.0-7
Versions of packages libio-socket-ssl-perl recommends:
pn libio-socket-ip-perl | libio-socket-inet6-perl <none>
ii libnet-idn-encode-perl 2.500-3+b1
ii libnet-libidn-perl 0.12.ds-4+b1
ii liburi-perl 5.17-1
ii perl-base [libsocket-perl] 5.36.0-7
Versions of packages libio-socket-ssl-perl suggests:
ii ca-certificates 20211016
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAmPQmXwACgkQS80FZ8KW
0F1P+hAA1KcFh8/lqTRkrrL85H0vGbr82KNFvNRLGwqOyzL9N4vLjfIedlt+hzbU
6/YzRznl5dCzTHCwju4BYyZfrpo6NPPtfLjjwPRtajwUnbw3Q9INGACTupkTtwoC
eKCFQM2dpGODERD1zjPN16iBfoGc97pWzE3nCZpxUFZxhKTKw78tpmbr7LMnHx2j
DKXAJgejlmhtYxVLk9YKynLR0x8MoSNlYRB1T7hdoQt0lo5KnbQbEsZjlXSg9AFb
8I/T29YO9n2dA2litq4RMVONtDN9p1YyCsY+fBO8RUnLS6v+Wy+vCEhwBYPm/dQp
DajXqxmWwU94oMF3UT8NuvgGW2OCWOhbrpFaSRRnGctXoTHTzJ/D7qMza5Qakdxh
SdORO9d5LRAwFDti54zx9c62Z42wUn2P7tIIhYJpI/VcqMeVIlPw9lOzb/Xkur2e
lX2ARUbFxFuyP87pn90LNv+GIsNe6lrXfY9GXQ080RZ9lozui1YKk9bGVvLHYOVR
XGEIPSBX9FqosBA8ZQ6FrJiUZ7yC+1Cz0dToHMiGNaDSlS/naxadQCSp3ZHuHl0g
Esxq7MnnKIgzjqLx7PSgGzDNan5mnS+k0c5T6uC+6jL9z2m5czPqGLUVaAFYjwd3
X3+dsBZY34R1qZ1qzzqJutp0nZXO4NiIwSINbXVO8dcdsjTACoE=
=+f0s
-----END PGP SIGNATURE-----
Lee Garrett
Feb 14, 2023, 4:40:04 PM2/14/23
to
Bumped severity as this makes bts currently unusable, and probably
breaks for quite a few DDs their workflow.
breaks for quite a few DDs their workflow.
Lee Garrett
Mar 22, 2023, 10:40:04 AM3/22/23
to
On Sat, 18 Mar 2023 17:06:08 +0100 Dominique Dumont <d...@debian.org> wrote:
>
> Which hints at a workaround: have bts connect to local sendmail and have sendmail forward the mail to the SMTPS server.
While this setup might work for some people, this has IMHO quite a few hefty
drawbacks and requires me to maintain a MTA on my local machine. I could
elaborate, but I don't think it's on-topic for this bug report.
>
> The change mentioned by Daniel affects only a setup where the host if configured via its IP address, not via a host name:
> See the change in SSL.pm in commit
> https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
While Daniel did mention this commit (which might or might not be related to the
issue), bts fails on a configured SMTPS hostname which otherwise correctly
validates with other MUA.
>
> Which is not the case here:
>
> $ perl -S -MDevel::SimpleTrace bts --smtp-host smtps://mail.wgdd.de usertag 1029588 + dod-test-with-tls
> at main::send_mail(mail.wgdd.de)
> at main::mailbtsall(/usr/bin/bts:2839)
> at main::(/usr/bin/bts:825)
>
> Unfortunately, I can no longer investigate this issue as it looks like that my IP address is now blacklisted on Daniel's server:
>
> $ perl -MDevel::SimpleTrace scripts/bts.pl --smtp-host smtps://mail.wgdd.de usertag 1029588 + dod-test-with-tls
> bts.pl: failed to open SMTPS connection to smtps://mail.wgdd.de
> (Connection refused)
> at main::send_mail(mail.wgdd.de)
> at main::mailbtsall(scripts/bts.pl:2849)
> at main::(scripts/bts.pl:834)
>
> On a hunch, I would guess that Daniel's server is configured to handle STARTTLS, which is not supported by bts. But I cannot verify this.
> In any case this does not explain why Daniel sees bts working with libio-socket-ssl-perl 2.077 but not with 2.078.
I'm sure that bts supports STARTTLS. I am using bts with my MTA on 587/tcp,
which enforces STARTTLS and requires credentials (I just double-checked via
swaks). With the old libio-socket-ssl-perl 2.069-1 this works, so it's clearly a
regression.
>
> All the best
Greetings,
Lee
> On Tue, 14 Feb 2023 22:21:26 +0100 Lee Garrett <deb...@rocketjump.eu> wrote:
> > Bumped severity as this makes bts currently unusable, and probably
> > breaks for quite a few DDs their workflow.
>
> This does not break on my system where bts is connected to local sendmail (which is the default setup).
> > Bumped severity as this makes bts currently unusable, and probably
> > breaks for quite a few DDs their workflow.
>
>
> Which hints at a workaround: have bts connect to local sendmail and have sendmail forward the mail to the SMTPS server.
While this setup might work for some people, this has IMHO quite a few hefty
drawbacks and requires me to maintain a MTA on my local machine. I could
elaborate, but I don't think it's on-topic for this bug report.
>
> The change mentioned by Daniel affects only a setup where the host if configured via its IP address, not via a host name:
> See the change in SSL.pm in commit
> https://github.com/noxxi/p5-io-socket-ssl/commit/c0a063b70f0a3ad033da0a51923c65bd2ff118a0
While Daniel did mention this commit (which might or might not be related to the
issue), bts fails on a configured SMTPS hostname which otherwise correctly
validates with other MUA.
>
> Which is not the case here:
>
> $ perl -S -MDevel::SimpleTrace bts --smtp-host smtps://mail.wgdd.de usertag 1029588 + dod-test-with-tls
> at main::send_mail(mail.wgdd.de)
> at main::mailbtsall(/usr/bin/bts:2839)
> at main::(/usr/bin/bts:825)
>
> Unfortunately, I can no longer investigate this issue as it looks like that my IP address is now blacklisted on Daniel's server:
>
> $ perl -MDevel::SimpleTrace scripts/bts.pl --smtp-host smtps://mail.wgdd.de usertag 1029588 + dod-test-with-tls
> bts.pl: failed to open SMTPS connection to smtps://mail.wgdd.de
> (Connection refused)
> at main::send_mail(mail.wgdd.de)
> at main::mailbtsall(scripts/bts.pl:2849)
> at main::(scripts/bts.pl:834)
>
> On a hunch, I would guess that Daniel's server is configured to handle STARTTLS, which is not supported by bts. But I cannot verify this.
> In any case this does not explain why Daniel sees bts working with libio-socket-ssl-perl 2.077 but not with 2.078.
I'm sure that bts supports STARTTLS. I am using bts with my MTA on 587/tcp,
which enforces STARTTLS and requires credentials (I just double-checked via
swaks). With the old libio-socket-ssl-perl 2.069-1 this works, so it's clearly a
regression.
>
> All the best
Greetings,
Lee
Daniel Leidert
Apr 5, 2023, 2:20:04 PM4/5/23
to
Hi,
Am Mittwoch, dem 29.03.2023 um 18:42 +0200 schrieb Dominique Dumont:
>
> Turns out that Perl module Net::SMTP supports SSL since 2014 [1], but
> bts still use Net::SMTPS which is an old wrapper around Net::SMTP.
>
> I've patched bts to use Net::SMTP instead of Net::STMPS and I can
> connect to Daniel's server:
I'm really sorry for not getting back earlier. I was just too busy.
I'll test the updated package asap.
Thank you so much for working on this.
Regards, Daniel
Am Mittwoch, dem 29.03.2023 um 18:42 +0200 schrieb Dominique Dumont:
>
> Turns out that Perl module Net::SMTP supports SSL since 2014 [1], but
> bts still use Net::SMTPS which is an old wrapper around Net::SMTP.
>
> I've patched bts to use Net::SMTP instead of Net::STMPS and I can
> connect to Daniel's server:
I'm really sorry for not getting back earlier. I was just too busy.
I'll test the updated package asap.
Thank you so much for working on this.
Regards, Daniel
0 new messages