[Pkg-bazaar-maint] Bug#850960: bzr: doesn't support SNI (breaks alioth.d.o)

Asbjørn Sloth Tønnesen asbjorn at asbjorn.st
Wed Jan 11 16:15:09 UTC 2017 

Package: bzr
Severity: normal

Hi,

Let's try to fetch the source for a Debian package:

> $ apt source sqsh
> Reading package lists... Done
> Selected version '2.1.7-4' (jessie) for sqsh
> NOTICE: 'sqsh' packaging is maintained in the 'Bzr' version control system at:
> nosmart+http://bzr.debian.org/bzr/users/vorlon/sqsh/trunk/
> Please use:
> bzr branch nosmart+http://bzr.debian.org/bzr/users/vorlon/sqsh/trunk/
> to retrieve the latest (possibly unreleased) updates to the package.
> Need to get 866 kB of source archives.
> Get:3 http://mirror.easyspeedy.com/debian jessie/main sqsh 2.1.7-4 (diff) [70.5 kB]
> 13% [Working]^C

Non-git? Really? Well let's try to fetch it anyway:

> $ bzr branch nosmart+http://bzr.debian.org/bzr/users/vorlon/sqsh/trunk/
> nosmart+http://bzr.debian.org/bzr/users/vorlon/sqsh/trunk/ is redirected to nosmart+https+urllib://bzr.debian.org/bzr/users/vorlon/sqsh/trunk/
> bzr: ERROR: ssl.CertificateError: hostname 'bzr.debian.org' doesn't match either of '*.alioth.debian.org', 'alioth.debian.org'

Hmm. https://bzr.debian.org/ redirects to https://anonscm.debian.org/bzr/, let's try with that directly:

> $ bzr branch nosmart+https://anonscm.debian.org/bzr/users/vorlon/sqsh/trunk/
> bzr: ERROR: ssl.CertificateError: hostname 'anonscm.debian.org' doesn't match either of '*.alioth.debian.org', 'alioth.debian.org'

I have verified with wireshark, that the root cause is that bzr doesn't set SNI in the TLS handshake.


Notes for fixing bzr access on alioth
=====================================

A serverside fix for alioth, could be to have the Let's Encrypt cert without the
wildchar be the default, and then require SNI for getting the wildchar cert,
unless other stuff needs the wildchar to be the default non-SNI cert.

Workaround: fetching the repo through loggerhead works:
bzr branch https://alioth.debian.org/scm/loggerhead/users/vorlon/sqsh/trunk

So maybe just updating the text of https://anonscm.debian.org/bzr/?

-- 
Best regards
Asbjørn Sloth Tønnesen

More information about the Pkg-bazaar-maint mailing list