Bug#525962: libgnutls26 makes apt-transport-https fail with ssl key/cert client authentication

Simon Josefsson simon at josefsson.org
Tue Apr 28 08:08:26 UTC 2009


Marco Amadori <amadorim at vdavda.com> writes:

> Package: libgnutls26
> Severity: important
> Version: 2.4.2-6+lenny1
> Tags: lenny
>
> When using apt-transport-https to fetch packages from a https web server 
> configured with required client authentication (apt options Acquire::
> {CaInfo,SslCert,SslKey}), an apt-operation will fail with misleading message:
>
> ---- * ----
> # apt-get update
> [...]
> Err https://debian.<privateurl> lenny/main Packages
>   Sub-process bzip2 returned an error code (2)
> Fetched 140B in 0s (248B/s)
> W: GPG error: https://debian.<privateurl> lenny Release:  The following 
> signatures were invalid: NODATA 1 NODATA 2
> W: Failed to fetch https://debian.<privateurl>/debian/dists/lenny/main/binary-
> i386/Packages.bz2  Sub-process bzip2 returned an error code (2)
>
> E: Some index files failed to download, they have been ignored, or old ones 
> used instead.
> ---- * ----
>
> Upgrading to libgnutls26 to sid's 2.6.5-1 fixes the problem.
>
> If I disable client authentication on the web server, leaving just https 
> server authentication (via the cacert), it works even with lenny's version.
>
> This bug should be probably mentioned  on apt-transport-https bug entries too 
> since the error reported is misleading and since testing curl via command line 
> with --cacert, --cert and --key just works (with the same .pem files specified 
> in apt.conf*.)

Can you get apt-transport-https to generate debug logs?  If there isn't
code in it already, you may need to add something like this:

static void
tls_log_func (int level, const char *str)
{
  fprintf (stderr, "|<%d>| %s", level, str);
}

  gnutls_global_set_log_function (tls_log_func);
  gnutls_global_set_log_level (4711);

It is difficult to debug this further without the information printed by
the gnutls log.

Thanks,
/Simon





More information about the Pkg-gnutls-maint mailing list