Bug#525962: libgnutls26 makes apt-transport-https fail with ssl key/cert client authentication
Simon Josefsson
simon at josefsson.org
Tue Apr 28 08:08:26 UTC 2009
Marco Amadori <amadorim at vdavda.com> writes:
> Package: libgnutls26
> Severity: important
> Version: 2.4.2-6+lenny1
> Tags: lenny
>
> When using apt-transport-https to fetch packages from a https web server
> configured with required client authentication (apt options Acquire::
> {CaInfo,SslCert,SslKey}), an apt-operation will fail with misleading message:
>
> ---- * ----
> # apt-get update
> [...]
> Err https://debian.<privateurl> lenny/main Packages
> Sub-process bzip2 returned an error code (2)
> Fetched 140B in 0s (248B/s)
> W: GPG error: https://debian.<privateurl> lenny Release: The following
> signatures were invalid: NODATA 1 NODATA 2
> W: Failed to fetch https://debian.<privateurl>/debian/dists/lenny/main/binary-
> i386/Packages.bz2 Sub-process bzip2 returned an error code (2)
>
> E: Some index files failed to download, they have been ignored, or old ones
> used instead.
> ---- * ----
>
> Upgrading to libgnutls26 to sid's 2.6.5-1 fixes the problem.
>
> If I disable client authentication on the web server, leaving just https
> server authentication (via the cacert), it works even with lenny's version.
>
> This bug should be probably mentioned on apt-transport-https bug entries too
> since the error reported is misleading and since testing curl via command line
> with --cacert, --cert and --key just works (with the same .pem files specified
> in apt.conf*.)
Can you get apt-transport-https to generate debug logs? If there isn't
code in it already, you may need to add something like this:
static void
tls_log_func (int level, const char *str)
{
fprintf (stderr, "|<%d>| %s", level, str);
}
gnutls_global_set_log_function (tls_log_func);
gnutls_global_set_log_level (4711);
It is difficult to debug this further without the information printed by
the gnutls log.
Thanks,
/Simon
More information about the Pkg-gnutls-maint
mailing list