[Bug 2055398] Re: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)

2024-03-26 Thread David Zuelke 
Thanks Graham for the quick turnaround here!

Looks like builds are all green now; any chance to get this merged? :)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2055398

Title:
  Please drop libimath-dev dependency on python3-imath (fixed upstream
  in Debian)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2055398] Re: Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)

2024-03-03 Thread David Zuelke 
Debian have updated to 3.1.10 in experimental, but if that's not an
option for noble, the following one-line cmakefile change could also be
backported:
https://github.com/AcademySoftwareFoundation/Imath/pull/361/files

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2055398

Title:
  Please drop libimath-dev dependency on python3-imath (fixed upstream
  in Debian)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2055398] [NEW] Please drop libimath-dev dependency on python3-imath (fixed upstream in Debian)

2024-02-29 Thread David Zuelke 
Public bug reported:

Debian have reverted the dependency of libimath-dev on python3-imap and
applied a fix from upstream: https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=1061327

Aside from the reasons outlined there, this also cuts down on a lot of
dependency clutter, because installing e.g. ImageMagick will otherwise
pull in python3-numpy with a hefty install size (44 MB):

# aptitude why python3.11
i   libmagickwand-dev   Depends  libmagickwand-6.q16-dev
i A libmagickwand-6.q16-dev Depends  libmagickcore-6.q16-dev (= 
8:6.9.12.98+dfsg1-5)
i A libmagickcore-6.q16-dev Depends  libopenexr-dev
i A libopenexr-dev  Depends  libimath-dev (>= 3.1.2)
i A libimath-devDepends  python3-imath
i A python3-imath   Depends  python3-numpy (>= 1:1.22.0)
i A python3-numpy   Depends  python3.11:any
i A python3.11  Provides python3.11:any

** Affects: imath (Ubuntu)
 Importance: Undecided
 Status: New

** Affects: imath (Debian)
 Importance: Unknown
 Status: Unknown

** Bug watch added: Debian Bug tracker #1061327
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061327

** Also affects: imath (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061327
   Importance: Unknown
   Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2055398

Title:
  Please drop libimath-dev dependency on python3-imath (fixed upstream
  in Debian)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/imath/+bug/2055398/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Regression for GMail after libssl upgrade with TLSv1.3

2019-08-14 Thread David Zuelke 
> So this means the servers that require SNI when using TLSv1.3 can not
(any longer?) be accessed by their direct ip address, their hostname
*must* be used.

SNI, per RFC 6066 is not allowed for IP addresses, so servers couldn't
require it (this is not new in TLSv1.3):

"Literal IPv4 and IPv6 addresses are not permitted in "HostName"."

The change in TLSv1.3 is that servers *may* now require SNI, and Google
chose to do so for GMail's IMAP servers.

It's still possible to connect to IP addresses using TLSv1.3, the server
just can't mandate SNI, but that's not a regression per se.

Either way, SNI is useless for an IP address - the client is already
connecting to a literal IP address, so the server could, if desired,
return a matching certificate without having to resort to "HostName",
and that hasn't changed.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Regression for GMail after libssl upgrade with TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/asterisk/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3

2019-08-06 Thread David Zuelke 
Another small update to the patch, just in case anyone wants to build it
against OpenSSL versions older than 1.0.2 (let's say on Ubuntu 12.04).

It now checks for the OpenSSL version instead of for
SSL_CTRL_SET_TLSEXT_HOSTNAME (which has been around since
0.9.8.something, so this change is safe in that regard). The
a2i_IPADDRESS function was introduced in 1.0.2; the patch calls it to
determine if the ServerName TLS extension info should be set (SNI is not
allowed for IP addresses, just for hostnames).

For anything before OpenSSL 1.0.2 (because a2i_IPADDRESS is not
available there), SNI wouldn't be done.

Since nothing before OpenSSL 1.1.1 supports TLSv1.3 anyway (and that's
when the problem occurs in the first place), that approach seems better.

P.S. have the info on a2i_IPADDRESS version availability from
https://github.com/python/cpython/commit/e9370a47389903bb72badc95032ec84a0ebbf8cc,
which does even more extra correct things for ancient OpenSSL versions,
but that doesn't apply to Ubuntu.

** Patch added: "uw-imap-sni.v3.patch"
   
https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5281308/+files/uw-imap-sni.v3.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Possible regression on libssl upgrade when using TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3

2019-08-05 Thread David Zuelke 
** Patch removed: "uw-imap-sni.patch"
   
https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280829/+files/uw-imap-sni.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Possible regression on libssl upgrade when using TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3

2019-08-05 Thread David Zuelke 
New patch that's RFC 6066 compliant (SNI may only be done for hostnames,
not for IP addresses).

** Patch added: "new patch, RFC6066 compliant"
   
https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280961/+files/uw-imap-sni.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Possible regression on libssl upgrade when using TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3

2019-08-04 Thread David Zuelke 
Here's a patch.

Before, when connecting to GMail IMAP with PHP:

root@39f3acd3838c:/app# php -r
'imap_open("{imap.gmail.com:993/imap/ssl}INBOX", "user", "pass") or
die(imap_last_error());'

Warning: imap_open(): Couldn't open stream 
{imap.googlemail.com:993/imap/ssl}INBOX in /app/imap.php on line 6
Certificate failure for imap.googlemail.com: self signed certificate: /OU=No 
SNI provided; please fix your client./CN=invalid2.invalid

After the patch (the auth error is correct for those credentials
obviously):

root@00b5d649f707:/app# php -r
'imap_open("{imap.gmail.com:993/imap/ssl}INBOX", "user", "pass") or
die(imap_last_error());'

Warning: imap_open(): Couldn't open stream 
{imap.googlemail.com:993/imap/ssl}INBOX in /app/imap.php on line 5
Can not authenticate to IMAP server: [AUTHENTICATIONFAILED] Invalid credentials 
(Failure)

There is a similar patch at https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=916041, but that uses an OpenSSL version check
instead of the IMO better #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME

** Bug watch added: Debian Bug tracker #916041
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916041

** Patch added: "uw-imap-sni.patch"
   
https://bugs.launchpad.net/ubuntu/+source/uw-imap/+bug/1834340/+attachment/5280829/+files/uw-imap-sni.patch

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Possible regression on libssl upgrade when using TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1834340] Re: Possible regression on libssl upgrade when using TLSv1.3

2019-07-26 Thread David Zuelke 
For some clarification: this is due to the upgrade to openssl 1.1.1 in
bionic-upgrades, which includes TLSv1.3 support. This leads to
connections being negotiated als TLSv1.3, and Google's IMAP servers
reject the connection (by returning an invalid certificate with a
message) if the attempt is not using SNI.

Here is a simple way to reproduce this, without a PHP script or
anything:

$ apt-get install uw-mailutils
$ mailutil check "{imap.googlemail.com:993/imap/ssl}INBOX"

This will work if the OpenSSL 1.1.0 library is installed, but fail if
1.1.1 is there:

root@e6e4f3531a65:/app# mailutil check 
"{imap.googlemail.com:993/imap/ssl}INBOX"Certificate failure for 
imap.googlemail.com: self signed certificate: /OU=No SNI provided; please fix 
your client./CN=invalid2.invalid
Certificate failure for imap.googlemail.com: self signed certificate: /OU=No 
SNI provided; please fix your client./CN=invalid2.invalid
root@e6e4f3531a65:/app# openssl version
OpenSSL 1.1.0g  2 Nov 2017 (Library: OpenSSL 1.1.1  11 Sep 2018)

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1834340

Title:
  Possible regression on libssl upgrade when using TLSv1.3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php-imap/+bug/1834340/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs