Re: apt-transport-https fail after squeeze upgrade
The Timeout is not the issue. Errors show up long before enough time passes. Debug::Acquire::https=1 does show interesting stuff, but it is identical between lenny and squeeze.
I've been poking around the https.cc code but nothing obvious struck me.
ssldump does produce some interesting differences though. Here are two logs, running "apt-get install" (lenny) and (squeeze) against the same single https source.
What might be the reason the lenny version says "Unknown value"? (I know nothing about ssl/https/...) Also, squeeze opens up new TCP connections (6 of them) -- perhaps to "try again"? Remember that my server claims lenny presents its cert, while squeeze does not, at least there is no trace of it in the server log.
Here is lenny:
New TCP connection #1: host1(44491) <-> host2(443)
1 1 0.0613 (0.0613) C>S Handshake
ClientHello
Version 3.0
cipher suites
Unknown value 0x33
Unknown value 0x39
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
Unknown value 0x32
Unknown value 0x38
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
Unknown value 0x2f
Unknown value 0x35
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
compression methods
NULL
1 2 0.1304 (0.0691) S>C Handshake
ServerHello
Version 3.0
session_id[0]=
cipherSuite Unknown value 0x33
compressionMethod NULL
1 3 0.1305 (0.0000) S>C Handshake
Certificate
1 4 0.1305 (0.0000) S>C Handshake
ServerKeyExchange
1 5 0.1305 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.1515 (0.0209) C>S Handshake
ClientKeyExchange
1 7 0.1515 (0.0000) C>S ChangeCipherSpec
1 8 0.1566 (0.0050) C>S Handshake
1 9 0.1567 (0.0000) S>C ChangeCipherSpec
1 10 0.1567 (0.0000) S>C Handshake
1 11 0.1591 (0.0023) C>S application_data
1 12 0.1593 (0.0002) S>C Handshake
1 13 0.1595 (0.0001) C>S Handshake
(log ends here)
Here is squeeze:
New TCP connection #1: host1(45764) <-> host2(443)
1 1 0.0742 (0.0742) C>S Handshake
ClientHello
Version 3.0
cipher suites
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_RC4_128_MD5
compression methods
NULL
1 2 0.1743 (0.1000) S>C Handshake
ServerHello
Version 3.0
session_id[0]=
cipherSuite SSL_DHE_RSA_WITH_AES_128_CBC_SHA
compressionMethod NULL
1 3 0.2120 (0.0376) S>C Handshake
Certificate
1 4 0.2120 (0.0000) S>C Handshake
ServerKeyExchange
1 5 0.2120 (0.0000) S>C Handshake
ServerHelloDone
1 6 0.2303 (0.0183) C>S Handshake
ClientKeyExchange
DiffieHellmanClientPublicValue[128]=
bb 39 b2 be f7 46 dc 09 c8 c5 8b e8 94 85 b3 79
83 f0 04 ba 0c 23 c3 de 36 eb b5 a0 20 fe a9 ec
0b e2 a3 a9 ca b2 3b 5e 23 5c 9a e1 bf 9c bf 9b
c6 18 d1 08 56 39 24 b5 82 f3 2c aa 9e 45 4d 88
69 1f 13 b3 c0 98 1c ef 10 57 25 e1 48 e6 53 85
af 65 7c 42 6c 2b d8 83 0b cf c3 9f 84 ce d5 a1
b7 c2 4c 21 19 c7 89 f8 79 00 b6 59 b9 f5 f0 cd
6b aa 55 9e 21 e4 38 96 0f bb 9d 14 fe 55 64 32
1 7 0.2490 (0.0187) C>S ChangeCipherSpec
1 8 0.2490 (0.0000) C>S Handshake
1 9 0.2685 (0.0194) S>C ChangeCipherSpec
1 10 0.2685 (0.0000) S>C Handshake
1 11 0.2708 (0.0022) C>S application_data
1 12 0.2909 (0.0201) S>C Handshake
1 13 0.2911 (0.0002) C>S Handshake
1 0.2930 (0.0018) C>S TCP FIN
New TCP connection #2: host1(45765) <-> host2(443)
2 1 0.0764 (0.0764) C>S Handshake
(log continues essentially the same for 6 TCP connections)
On Aug 15, 2010, at 4:47, David Kalnischkies wrote:
> 2010/8/14 Johannes Ernst <johannes.ernst@gmail.com>:
>> I have an apt https setup with client certs that has been working fine for lenny. After upgrading to squeeze, it fails. Has anything changed in the configuration? I'm not really able to find any relevant documentation ...
>
> Do you have a public https source we could test against?
>
> As far as i know we have no active developer using https
> so it is more or less untested unfortunately, so just
> a bunch of random thoughts from me:
>
> The only maybe related change i can remember is that
> https config options if unset use their http equivalent if set.
>
> Maybe try to increase the timeout used with the option
> Acquire::https::Timeout - default is 120 (=2 minutes).
>
> Maybe Debug::Acquire::https=1 shows interesting stuff.
>
> APT uses libcurl for its https stuff btw, so that it works with curl
> is an interesting information.
>
> Oh and you might want to "reportbug" it as an important bug
> against apt-transport-https so it can't be forgotten in the mail archive.
>
>
> Best regards,
>
> David Kalnischkies
Reply to: