[Bug 2055398] Re: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)
Thanks Graham for the quick turnaround here! Looks like builds are all green now; any chance to get this merged? :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055398 Title: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2055398] Re: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)
Debian have updated to 3.1.10 in experimental, but if that's not an option for noble, the following one-line cmakefile change could also be backported: https://github.com/AcademySoftwareFoundation/Imath/pull/361/files -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055398 Title: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 2055398] [NEW] Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)
Public bug reported: Debian have reverted the dependency of libimath-dev on python3-imap and applied a fix from upstream: https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=1061327 Aside from the reasons outlined there, this also cuts down on a lot of dependency clutter, because installing e.g. ImageMagick will otherwise pull in python3-numpy with a hefty install size (44 MB): # aptitude why python3.11 i libmagickwand-dev Depends libmagickwand-6.q16-dev i A libmagickwand-6.q16-dev Depends libmagickcore-6.q16-dev (= 8:6.9.12.98+dfsg1-5) i A libmagickcore-6.q16-dev Depends libopenexr-dev i A libopenexr-dev Depends libimath-dev (>= 3.1.2) i A libimath-devDepends python3-imath i A python3-imath Depends python3-numpy (>= 1:1.22.0) i A python3-numpy Depends python3.11:any i A python3.11 Provides python3.11:any ** Affects: imath (Ubuntu) Importance: Undecided Status: New ** Affects: imath (Debian) Importance: Unknown Status: Unknown ** Bug watch added: Debian Bug tracker #1061327 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061327 ** Also affects: imath (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061327 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2055398 Title: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Regression for GMail after libssl upgrade with TLSv1.3
> So this means the servers that require SNI when using TLSv1.3 can not (any longer?) be accessed by their direct ip address, their hostname *must* be used. SNI, per RFC 6066 is not allowed for IP addresses, so servers couldn't require it (this is not new in TLSv1.3): "Literal IPv4 and IPv6 addresses are not permitted in "HostName"." The change in TLSv1.3 is that servers *may* now require SNI, and Google chose to do so for GMail's IMAP servers. It's still possible to connect to IP addresses using TLSv1.3, the server just can't mandate SNI, but that's not a regression per se. Either way, SNI is useless for an IP address - the client is already connecting to a literal IP address, so the server could, if desired, return a matching certificate without having to resort to "HostName", and that hasn't changed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Regression for GMail after libssl upgrade with TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3
Another small update to the patch, just in case anyone wants to build it against OpenSSL versions older than 1.0.2 (let's say on Ubuntu 12.04). It now checks for the OpenSSL version instead of for SSL_CTRL_SET_TLSEXT_HOSTNAME (which has been around since 0.9.8.something, so this change is safe in that regard). The a2i_IPADDRESS function was introduced in 1.0.2; the patch calls it to determine if the ServerName TLS extension info should be set (SNI is not allowed for IP addresses, just for hostnames). For anything before OpenSSL 1.0.2 (because a2i_IPADDRESS is not available there), SNI wouldn't be done. Since nothing before OpenSSL 1.1.1 supports TLSv1.3 anyway (and that's when the problem occurs in the first place), that approach seems better. P.S. have the info on a2i_IPADDRESS version availability from https://github.com/python/cpython/commit/e9370a47389903bb72badc95032ec84a0ebbf8cc, which does even more extra correct things for ancient OpenSSL versions, but that doesn't apply to Ubuntu. ** Patch added: "uw-imap-sni.v3.patch" https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5281308/+files/uw-imap-sni.v3.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Possible regression on libssl upgrade when using TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3
** Patch removed: "uw-imap-sni.patch" https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280829/+files/uw-imap-sni.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Possible regression on libssl upgrade when using TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3
New patch that's RFC 6066 compliant (SNI may only be done for hostnames, not for IP addresses). ** Patch added: "new patch, RFC6066 compliant" https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280961/+files/uw-imap-sni.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Possible regression on libssl upgrade when using TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3
Here's a patch. Before, when connecting to GMail IMAP with PHP: root@39f3acd3838c:/app# php -r 'imap_open("{imap.gmail.com:993/imap/ssl}INBOX", "user", "pass") or die(imap_last_error());' Warning: imap_open(): Couldn't open stream {imap.googlemail.com:993/imap/ssl}INBOX in /app/imap.php on line 6 Certificate failure for imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid After the patch (the auth error is correct for those credentials obviously): root@00b5d649f707:/app# php -r 'imap_open("{imap.gmail.com:993/imap/ssl}INBOX", "user", "pass") or die(imap_last_error());' Warning: imap_open(): Couldn't open stream {imap.googlemail.com:993/imap/ssl}INBOX in /app/imap.php on line 5 Can not authenticate to IMAP server: [AUTHENTICATIONFAILED] Invalid credentials (Failure) There is a similar patch at https://bugs.debian.org/cgi- bin/bugreport.cgi?bug=916041, but that uses an OpenSSL version check instead of the IMO better #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME ** Bug watch added: Debian Bug tracker #916041 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916041 ** Patch added: "uw-imap-sni.patch" https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280829/+files/uw-imap-sni.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Possible regression on libssl upgrade when using TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3
For some clarification: this is due to the upgrade to openssl 1.1.1 in bionic-upgrades, which includes TLSv1.3 support. This leads to connections being negotiated als TLSv1.3, and Google's IMAP servers reject the connection (by returning an invalid certificate with a message) if the attempt is not using SNI. Here is a simple way to reproduce this, without a PHP script or anything: $ apt-get install uw-mailutils $ mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX" This will work if the OpenSSL 1.1.0 library is installed, but fail if 1.1.1 is there: root@e6e4f3531a65:/app# mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX"Certificate failure for imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid Certificate failure for imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix your client./CN=invalid2.invalid root@e6e4f3531a65:/app# openssl version OpenSSL 1.1.0g 2 Nov 2017 (Library: OpenSSL 1.1.1 11 Sep 2018) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1834340 Title: Possible regression on libssl upgrade when using TLSv1.3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs