test results

To: 594150@bugs.debian.org, 594150-submitter@bugs.debian.org, Simon McVittie <smcv@debian.org>, Daniel Silverstone <dsilvers@debian.org>
Cc: debian-release@lists.debian.org
Subject: test results
From: Neil Williams <codehelp@debian.org>
Date: Fri, 17 Dec 2010 22:59:17 +0000
Message-id: <[🔎] 20101217225917.a59a5f0d.codehelp@debian.org>
Testing in a Squeeze pbuilder login with unchanged packages:
Downloaded from http://apt-test.aviatis.com/

root@dwarf:~# ls /etc/apt/client-certs/
client.apt-test.aviatis.com.crt  client.apt-test.aviatis.com.key

root@dwarf:~# cat /etc/apt/sources.list
deb http://ftp.uk.debian.org/debian/ testing main
deb-src http://ftp.uk.debian.org/debian/ testing main
deb https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/
squeeze main

root@dwarf:~# cat /etc/apt/apt.conf.d/client-cert 
Acquire {
  https {
        Verify-Peer "false";
        CaPath  "/etc/ssl/certs";
        Verify-Host "false";
        AllowRedirect  "true";

        SslCert "/etc/apt/client-certs/client.apt-test.aviatis.com.crt";
        SslKey  "/etc/apt/client-certs/client.apt-test.aviatis.com.key";
        SslForceVersion "SSLv3"; // This is required to get it to work in lenny; not sure why.
   }
}

(Note the revealing comment about the ForceVersion - this turns out to be important.)

Tested using:
apt-transport-https       0.8.8

root@dwarf:~# apt-get update
Hit http://ftp.uk.debian.org testing Release.gpg
Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en
Hit http://ftp.uk.debian.org testing Release
Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex
Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com squeeze Release.gpg
Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/
squeeze/main Translation-en Ign https://apt-test.aviatis.com squeeze
Release Ign https://apt-test.aviatis.com squeeze/main amd64 Packages
Err https://apt-test.aviatis.com squeeze/main amd64 Packages
  SSL connection timeout
W: Failed to fetch
https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz
SSL connection timeout

E: Some index files failed to download, they have been ignored, or old
ones used instead.

Install the patched update NMU packages:

root@dwarf:~# dpkg -i ../curl_7.21.0-1.1_amd64.deb ../libcurl3_7.21.0-1.1_amd64.deb ../libcurl3-gnutls_7.21.0-1.1_amd64.deb 
(Reading database ... 12732 files and directories currently installed.)
Preparing to replace curl 7.21.0-1 (using ../curl_7.21.0-1.1_amd64.deb) ...
Unpacking replacement curl ...
Preparing to replace libcurl3 7.21.0-1 (using .../libcurl3_7.21.0-1.1_amd64.deb) ...
Unpacking replacement libcurl3 ...
Preparing to replace libcurl3-gnutls 7.21.0-1 (using .../libcurl3-gnutls_7.21.0-1.1_amd64.deb) ...
Unpacking replacement libcurl3-gnutls ...
Setting up libcurl3 (7.21.0-1.1) ...
Setting up libcurl3-gnutls (7.21.0-1.1) ...
Setting up curl (7.21.0-1.1) ...

test:

root@dwarf:~# apt-get update
Hit http://ftp.uk.debian.org testing Release.gpg
Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en
Hit http://ftp.uk.debian.org testing Release
Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex
Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex
Get:1 https://apt-test.aviatis.com squeeze Release.gpg [835 B]
Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en
Get:2 https://apt-test.aviatis.com squeeze Release [89.9 kB]
Get:3 https://apt-test.aviatis.com squeeze/main amd64 Packages [6562 kB]
Fetched 6653 kB in 52s (126 kB/s)
Reading package lists... Done

The results with apt-get update are reproducible, yet calls to the
underlying utilities would give the impression that nothing has changed.

e.g.
# gnutls-cli -V --insecure -p 433
--x509certfile /etc/apt/client-certs/client.apt-test.aviatis.com.crt
--x509keyfile /etc/apt/client-certs/client.apt-test.aviatis.com.key
apt-test.aviatis.com
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'apt-test.aviatis.com'...
Connecting to '204.145.147.227:433'...
Cannot connect to apt-test.aviatis.com:433: Connection timed out

No change with the patched package.

whilst curl works fine (with and without the change)
curl -v  -k https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/Release --cert /etc/apt/client-certs/client.apt-test.aviatis.com.crt --key /etc/apt/client-certs/client.apt-test.aviatis.com.key 

Then with a sid pbuilder login without any patches:
ii  apt-transport-https       0.8.10

root@dwarf:/etc/apt/client-certs# apt-get update
Hit http://ftp.fr.debian.org sid Release.gpg
Ign http://ftp.fr.debian.org/debian/ sid/main Translation-en
Hit http://ftp.fr.debian.org sid Release
Hit http://ftp.fr.debian.org sid/main Sources/DiffIndex
Hit http://ftp.fr.debian.org sid/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com squeeze Release.gpg
Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en
Ign https://apt-test.aviatis.com squeeze Release
Ign https://apt-test.aviatis.com squeeze/main amd64 Packages
Err https://apt-test.aviatis.com squeeze/main amd64 Packages
  SSL connection timeout
W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz  SSL connection timeout

E: Some index files failed to download, they have been ignored, or old ones used instead.

Same results for the curl and gnutls test commands as in Squeeze (patched or not).

More light is shed when the /etc/apt/apt.conf.d/client-cert is edited
to remove the line forcing SSHv3:

With the patched packages installed:

root@dwarf:~# cat /etc/apt/apt.conf.d/client-cert 
Acquire {
  https {
        Verify-Peer "false";
        CaPath  "/etc/ssl/certs";
        Verify-Host "false";
        AllowRedirect  "true";

        SslCert "/etc/apt/client-certs/client.apt-test.aviatis.com.crt";
        SslKey  "/etc/apt/client-certs/client.apt-test.aviatis.com.key";
   }
}

root@dwarf:~# apt-get update
Hit http://ftp.uk.debian.org testing Release.gpg     
Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en
Hit http://ftp.uk.debian.org testing Release
Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex
Ign https://apt-test.aviatis.com squeeze Release.gpg
Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en
Ign https://apt-test.aviatis.com squeeze Release
Ign https://apt-test.aviatis.com squeeze/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com squeeze/main amd64 Packages
Err https://apt-test.aviatis.com squeeze/main amd64 Packages
  gnutls_handshake() failed: Decryption has failed.
W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz  gnutls_handshake() failed: Decryption has failed.

E: Some index files failed to download, they have been ignored, or old ones used instead.

handshake blamed with the patch

root@dwarf:~# dpkg -l | grep curl
ii  curl                            7.21.0-1.1                  Get a file from an HTTP, HTTPS or FTP server
ii  libcurl3                        7.21.0-1.1                  Multi-protocol file transfer library (OpenSSL)
ii  libcurl3-gnutls                 7.21.0-1.1                  Multi-protocol file transfer library (GnuTLS)

Downgrading back to Squeeze:
Setting up libcurl3 (7.21.0-1) ...
Setting up curl (7.21.0-1) ...
Setting up libcurl3-gnutls (7.21.0-1) ...

root@dwarf:~# apt-get update
Hit http://ftp.uk.debian.org testing Release.gpg
Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en
Hit http://ftp.uk.debian.org testing Release
Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex
Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com squeeze Release.gpg
Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en
Ign https://apt-test.aviatis.com squeeze Release
Ign https://apt-test.aviatis.com squeeze/main amd64 Packages/DiffIndex
Ign https://apt-test.aviatis.com squeeze/main amd64 Packages
Err https://apt-test.aviatis.com squeeze/main amd64 Packages
  SSL connection timeout
W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz
  SSL connection timeout

E: Some index files failed to download, they have been ignored, or old ones used instead.

timeout blamed without the patch.

So the patch certainly has the effect of making the test apt source
usable under the original test conditions and it remains unusable
without the patch or with packages from unstable but it leaves me
uncertain about how much of this is down to the specific configuration
of these test conditions. (All testing of this bug has involved this
one test configuration.)

It works but I'd be happier if someone could explain what is actually
happening and why....

-- 


Neil Williams
=============
http://www.linux.codehelp.co.uk/
Attachment: pgpElHSGGkfYF.pgp
Description: PGP signature
Reply to:
Prev by Date: Re: Bug#607293: 75 unreported RC bugs, (mostly?) fixable by rebuilding / could lintian please prevent such packages from being uploaded in future?
Next by Date: Re: Your recent sqlite3 and neon27 uploads
Previous by thread: Re: Bug#594150: downgrading on advice from upstream
Next by thread: [SRM] Permission to upload mediawiki to stable
Index(es):
- Date
- Thread