Bug#739678: wheezy-pu: package resource-agents/1:3.9.2-5+deb7u2
Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu
[Martin Loschwitz <madkiss@debian.org> (CC'ed via X-Debbugs-CC), as
this my request is quite short timeframe between firstly opening the
bugreport and aksing for also a pu]
When migrating from Squeeze to Wheezy, using ldirectord fails to test
HTTPS real servers due to LWP::UserAgent's hostname_verification
beeing enabled by default (from Wheezy on).
This is reported in the BTS as https://bugs.debian.org/739608
As there was also a longerstanding RC bug #724116 I have uploaded a
NMU (to delayed/5 queue!) also fixing #739608 to unstable, but has not
entered the archive yet.
The fix takes upstream commit, which disables hostname verification
again, allowing checking by IP only again.
Attached is proposed debdiff for wheezy. Could it be included for the
next wheezy point release?
Regards,
Salvatore
diff -Nru resource-agents-3.9.2/debian/changelog resource-agents-3.9.2/debian/changelog
--- resource-agents-3.9.2/debian/changelog 2013-01-06 23:49:52.000000000 +0100
+++ resource-agents-3.9.2/debian/changelog 2014-02-21 10:35:08.000000000 +0100
@@ -1,3 +1,15 @@
+resource-agents (1:3.9.2-5+deb7u2) wheezy; urgency=medium
+
+ * Non-maintainer upload.
+ * Add 0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch patch.
+ Fixes "ldirectord: fails to test HTTPS real servers". HTTPS checks with
+ request/receive will fail under newer versions of the LWP module due to
+ certificate name checking being enabled by default. This disables the
+ check again so that service checking by IP only still succeeds.
+ (Closes: #739608)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Feb 2014 10:33:52 +0100
+
resource-agents (1:3.9.2-5+deb7u1) testing-proposed-updates; urgency=low
* Non-maintainer upload.
diff -Nru resource-agents-3.9.2/debian/patches/0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch resource-agents-3.9.2/debian/patches/0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch
--- resource-agents-3.9.2/debian/patches/0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch 1970-01-01 01:00:00.000000000 +0100
+++ resource-agents-3.9.2/debian/patches/0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch 2014-02-21 10:35:08.000000000 +0100
@@ -0,0 +1,51 @@
+From 68fad38326b7c04efd6434e736e32fe395eafe02 Mon Sep 17 00:00:00 2001
+From: Matthew Newton <mcn4@leicester.ac.uk>
+Date: Fri, 11 Oct 2013 10:43:40 +0100
+Subject: [PATCH] Disable HTTPS SSL certificate hostname checking, tidy debug
+ output
+
+HTTPS checks with request/receive will fail under newer versions of the
+LWP module due to certificate name checking being enabled by default. This
+disables the check again so that service checking by IP only still succeeds.
+
+Additional debug output shows the Status line so that it is easier to find out
+why the service is down. Debug output tidied up when SSL values are not set
+(usually if there has been an error, or the host is unreachable).
+---
+ ldirectord/ldirectord.in | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/ldirectord/ldirectord.in
++++ b/ldirectord/ldirectord.in
+@@ -2816,7 +2816,7 @@
+ &ld_debug(2, "check_http: url=\"$$r{url}\" "
+ . "virtualhost=\"$virtualhost\"");
+
+- my $ua = new LWP::UserAgent();
++ my $ua = new LWP::UserAgent(ssl_opts => { verify_hostname => 0 });
+
+ my $h = undef;
+ if ($$v{service} eq "http_proxy") {
+@@ -2857,14 +2857,16 @@
+ }
+
+ if ($$v{service} eq "https") {
+- &ld_debug(2, "SSL-Cipher: " .
+- $res->header('Client-SSL-Cipher'));
+- &ld_debug(2, "SSL-Cert-Subject: " .
+- $res->header('Client-SSL-Cert-Subject'));
+- &ld_debug(2, "SSL-Cert-Issuer: " .
+- $res->header('Client-SSL-Cert-Issuer'));
++ &ld_debug(2, "SSL-Cipher: " .
++ ($res->header('Client-SSL-Cipher') || '<not set>'));
++ &ld_debug(2, "SSL-Cert-Subject: " .
++ ($res->header('Client-SSL-Cert-Subject') || '<not set>'));
++ &ld_debug(2, "SSL-Cert-Issuer: " .
++ ($res->header('Client-SSL-Cert-Issuer') || '<not set>'));
+ }
+
++ &ld_debug(2, "Return status: " . $res->status_line);
++
+ my $recstr = $$r{receive};
+ if ($res->is_success && (!($recstr =~ /.+/) ||
+ $res->content =~ /$recstr/)) {
diff -Nru resource-agents-3.9.2/debian/patches/series resource-agents-3.9.2/debian/patches/series
--- resource-agents-3.9.2/debian/patches/series 2013-01-02 04:35:00.000000000 +0100
+++ resource-agents-3.9.2/debian/patches/series 2014-02-21 10:35:08.000000000 +0100
@@ -3,3 +3,4 @@
CVE-2010-3389--bug598549.patch
mysql-path.patch
fix-gethostinfo-v2.patch
+0001-Disable-HTTPS-SSL-certificate-hostname-checking-tidy.patch
Reply to: