Bug#525962: libgnutls26 makes apt-transport-https fail with ssl key/cert client authentication

Tue Apr 28 09:47:48 UTC 2009

On Tuesday 28 April 2009, 10:08:26, you wrote:

> Can you get apt-transport-https to generate debug logs?

yes, I attached a log after adding 'Debug::Acquire::https "true";' to the apt-
conf.d/<mystuff> file.

> If there isn't
> code in it already, you may need to add something like this:

I cannot add this in a simple way, main method/https.cc just invokes

"curl_global_init(CURL_GLOBAL_SSL) ;"

> It is difficult to debug this further without the information printed by
> the gnutls log.

I hope tah the attached log could be enough.

-- 
ESC:wq

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
Hit http://develop2 lenny Release.gpg
* About to connect() to <random.url.com> port 443 (#0)
*   Trying <publicip>... * connected
* Connected to <random.url.com> (<publicip>) port 443 (#0)
Hit http://develop2 lenny Release
* found 1 certificates in /etc/apt/certs/<random.url.com>-cacert.pem
Ign http://develop2 lenny/main Packages/DiffIndex
Hit http://develop2 lenny/main Packages
* 	 server certificate verification OK
* 	 common name: <random.url.com> (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 start date: Wed, 22 Apr 2009 13:02:50 GMT
* 	 expire date: Thu, 22 Apr 2010 13:02:50 GMT
* 	 issuer: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 compression: NULL
* 	 cipher: AES-128-CBC
* 	 MAC: SHA1
> GET /debian/dists/lenny/Release.gpg HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (0.7.21)
Host: <random.url.com>
Accept: */*
Cache-Control: max-age=0

* gnutls_handshake() failed: Decryption has failed.
* GnuTLS recv error (-10): The specified session has been invalidated for some reason.
* Connection #0 to host <random.url.com> left intact
* Connection #0 seems to be dead!
* Closing connection #0
* About to connect() to <random.url.com> port 443 (#0)
*   Trying <publicip>... * connected
* Connected to <random.url.com> (<publicip>) port 443 (#0)
* found 1 certificates in /etc/apt/certs/<random.url.com>-cacert.pem
* 	 server certificate verification OK
* 	 common name: <random.url.com> (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 start date: Wed, 22 Apr 2009 13:02:50 GMT
* 	 expire date: Thu, 22 Apr 2010 13:02:50 GMT
* 	 issuer: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 compression: NULL
* 	 cipher: AES-128-CBC
* 	 MAC: SHA1
> GET /debian/dists/lenny/Release HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (0.7.21)
Host: <random.url.com>
Accept: */*
If-Modified-Since: Tue, 28 Apr 2009 09:38:37 GMT
Cache-Control: max-age=0

* gnutls_handshake() failed: Decryption has failed.
* GnuTLS recv error (-10): The specified session has been invalidated for some reason.
* Connection #0 to host <random.url.com> left intact
Ign https://<random.url.com> lenny Release
* Connection #0 seems to be dead!
* Closing connection #0
* About to connect() to <random.url.com> port 443 (#0)
*   Trying <publicip>... * connected
* Connected to <random.url.com> (<publicip>) port 443 (#0)
* found 1 certificates in /etc/apt/certs/<random.url.com>-cacert.pem
* 	 server certificate verification OK
* 	 common name: <random.url.com> (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 start date: Wed, 22 Apr 2009 13:02:50 GMT
* 	 expire date: Thu, 22 Apr 2010 13:02:50 GMT
* 	 issuer: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 compression: NULL
* 	 cipher: AES-128-CBC
* 	 MAC: SHA1
> GET /debian/dists/lenny/main/binary-i386/Packages.diff/Index HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (0.7.21)
Host: <random.url.com>
Accept: */*
If-Modified-Since: Tue, 28 Apr 2009 09:38:38 GMT
Cache-Control: max-age=0

* gnutls_handshake() failed: Decryption has failed.
* GnuTLS recv error (-10): The specified session has been invalidated for some reason.
* Connection #0 to host <random.url.com> left intact
* Connection #0 seems to be dead!
* Closing connection #0
* About to connect() to <random.url.com> port 443 (#0)
*   Trying <publicip>... * connected
* Connected to <random.url.com> (<publicip>) port 443 (#0)
* found 1 certificates in /etc/apt/certs/<random.url.com>-cacert.pem
* 	 server certificate verification OK
* 	 common name: <random.url.com> (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 start date: Wed, 22 Apr 2009 13:02:50 GMT
* 	 expire date: Thu, 22 Apr 2010 13:02:50 GMT
* 	 issuer: C=IT,ST=Italy,L=<random_city>,O=<randomcomp> Certification Authority,OU=R&D,CN=<random.url.com>,EMAIL=rd@<randomcomp>.com
* 	 compression: NULL
* 	 cipher: AES-128-CBC
* 	 MAC: SHA1
> GET /debian/dists/lenny/main/binary-i386/Packages.bz2 HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (0.7.21)
Host: <random.url.com>
Accept: */*
If-Modified-Since: Mon, 27 Apr 2009 15:17:23 GMT
Cache-Control: max-age=0

* gnutls_handshake() failed: Decryption has failed.
* GnuTLS recv error (-10): The specified session has been invalidated for some reason.
* Connection #0 to host <random.url.com> left intact
bzip2: (stdin) is not a bzip2 file.
Err https://<random.url.com> lenny/main Packages
  Sub-process bzip2 returned an error code (2)
Fetched 140B in 0s (266B/s)
W: GPG error: https://<random.url.com> lenny Release: The following signatures were invalid: NODATA 1 NODATA 2
W: Failed to fetch https://<random.url.com>/debian/dists/lenny/main/binary-i386/Packages.bz2  Sub-process bzip2 returned an error code (2)

E: Some index files failed to download, they have been ignored, or old ones used instead.