[Pkg-openssl-devel] Bug#1112125: apt-transport-https: Regression in CAInfo handling in Trixie
Julian Andres Klode
jak at debian.org
Tue Aug 26 19:57:55 BST 2025
On Tue, Aug 26, 2025 at 06:48:33PM +0200, Gregor Jasny wrote:
> Package: apt-transport-https
> Version: 3.1.4
> Severity: normal
> X-Debbugs-Cc: gjasny at googlemail.com
>
> Hello,
>
> there seems to be a regression in Trixie (probably since the switch
> to OpenSSL) in the CAInfo handling.
>
> I created a reproducer here:
> https://salsa.debian.org/gjasny-guest/debian-apt-cafile
>
> Copy for the archive:
> ---
> FROM debian:13
> ENV DEBIAN_FRONTEND=noninteractive
> RUN sed -i'' -e 's,http://deb.debian.org,https://debian.inf.tu-dresden.de,g' /etc/apt/sources.list.d/debian.sources
> ADD rootca.pem /etc/rootca.pem
> RUN echo 'Acquire::https::debian.inf.tu-dresden.de::CAInfo "/etc/rootca.pem";' > /etc/apt/apt.conf.d/99-root-ca
> RUN apt-get update
> RUN apt-get install -y ca-certificates
> ---
>
> It works with Debian 12 and fails with Debian 13. (I need that functionality
> for a company internal APT repository, not debian.inf.tu-dresden.de.)
>
> Could please take a look what's happening?
The file is being loaded by SSL_CTX_load_verify_file(), the rest is
OpenSSL's doing. I do not have further information.
Please note that we generally do not ship stable updates for APT,
so any fix will only be available in Debian 14 - please test your
use cases before a release to ensure you can use the next release.
(release team approval for stable updates is hard to get)
--
debian developer - deb.li/jak | jak-linux.org - free software dev
ubuntu core developer i speak de, en
More information about the Pkg-openssl-devel
mailing list