Bug#835342: curl or git clone commands throws "gnutls_handshake() failed" on https targets
Stefan Bühler
stbuehler at lighttpd.net
Sun Aug 28 07:56:58 UTC 2016
Hi Marcelo,
On Fri, 26 Aug 2016 10:30:51 -0400 "marcelomendes at gmail.com"
<marcelomendes at gmail.com> wrote:
> 2016-08-25 13:25 GMT-04:00 Andreas Metzler <ametzler at bebt.de>:
> > On 2016-08-24 "marcelomendes at gmail.com" <marcelomendes at gmail.com>
> > wrote:
> >> Package: libgnutls30
> >> Version: 3.5.3-2
> >> Severity: important
> >> Tags: upstream
> >
> >> Dear Maintainer,
> >
> >> Trying to git clone a github repo using libgnutls30 3.5.3-2 throw
> >> the following error:
> >
> >> fatal: unable to access 'https://github.com/xxx/yyy/':
> >> gnutls_handshake() failed: Public key signature verification has
> >> failed.
> >
> >> Same happens for curl:
> >
> >> curl https://duckduckgo.com
> >> curl: (35) gnutls_handshake() failed: Public key signature
> >> verification has failed.
> >
> > Hello,
> > Are you able to reproduce either of these errors with gnutls-cli?
>
> First, let me say I'm behind a proxy server.
Does the proxy happen to intercept TLS, i.e. is it a local CA and
creates certificates on demand, which might fail the verification?
Perhaps you could get a pcap with tcpdump of the connection(s) from
curl to the proxy?
tcpdump -i eno1 -w curl-to-proxy.pcap 'host <proxy-ip> and port <proxy-port>'
> Both versions of gnutls-bin (3.5.3-3 and the old 3.5.2-3) have the
> same behavior:
>
> gnutls-cli -V --port 443 duckduckgo.com
> Processed 173 CA certificate(s).
> Resolving 'duckduckgo.com:443'...
> Connecting to '107.21.1.61:443'...
> Connecting to '184.72.106.52:443'...
> Connecting to '184.72.115.86:443'...
>
> and stay there for some quit some time until I ctrl+c
I don't think gnutls-cli supports a proxy directly; you'd probably
have to use some LD_PRELOAD proxy wrapper (e.g. tsocks or similar).
More information about the Pkg-gnutls-maint
mailing list