[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt-transport-https fail after squeeze upgrade

The Timeout is not the issue. Errors show up long before enough time passes. Debug::Acquire::https=1 does show interesting stuff, but it is identical between lenny and squeeze.

I've been poking around the https.cc code but nothing obvious struck me.

ssldump does produce some interesting differences though. Here are two logs, running "apt-get install" (lenny) and (squeeze) against the same single https source.

What might be the reason the lenny version says "Unknown value"? (I know nothing about ssl/https/...) Also, squeeze opens up new TCP connections (6 of them) -- perhaps to "try again"? Remember that my server claims lenny presents its cert, while squeeze does not, at least there is no trace of it in the server log.

Here is lenny:

New TCP connection #1: host1(44491) <-> host2(443)
1 1  0.0613 (0.0613)  C>S  Handshake
      ClientHello
        Version 3.0
        cipher suites
        Unknown value 0x33
        Unknown value 0x39
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x32
        Unknown value 0x38
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        Unknown value 0x2f
        Unknown value 0x35
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
1 2  0.1304 (0.0691)  S>C  Handshake
      ServerHello
        Version 3.0
        session_id[0]=

        cipherSuite         Unknown value 0x33
        compressionMethod                   NULL
1 3  0.1305 (0.0000)  S>C  Handshake
      Certificate
1 4  0.1305 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.1305 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.1515 (0.0209)  C>S  Handshake
      ClientKeyExchange
1 7  0.1515 (0.0000)  C>S  ChangeCipherSpec
1 8  0.1566 (0.0050)  C>S  Handshake
1 9  0.1567 (0.0000)  S>C  ChangeCipherSpec
1 10 0.1567 (0.0000)  S>C  Handshake
1 11 0.1591 (0.0023)  C>S  application_data
1 12 0.1593 (0.0002)  S>C  Handshake
1 13 0.1595 (0.0001)  C>S  Handshake

(log ends here)

Here is squeeze:

New TCP connection #1: host1(45764) <-> host2(443)
1 1  0.0742 (0.0742)  C>S  Handshake
      ClientHello
        Version 3.0
        cipher suites
        SSL_DHE_RSA_WITH_AES_128_CBC_SHA
        SSL_DHE_RSA_WITH_AES_256_CBC_SHA
        SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_DHE_DSS_WITH_AES_128_CBC_SHA
        SSL_DHE_DSS_WITH_AES_256_CBC_SHA
        SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_AES_128_CBC_SHA
        SSL_RSA_WITH_AES_256_CBC_SHA
        SSL_RSA_WITH_3DES_EDE_CBC_SHA
        SSL_RSA_WITH_RC4_128_SHA
        SSL_RSA_WITH_RC4_128_MD5
        compression methods
                  NULL
1 2  0.1743 (0.1000)  S>C  Handshake
      ServerHello
        Version 3.0
        session_id[0]=

        cipherSuite         SSL_DHE_RSA_WITH_AES_128_CBC_SHA
        compressionMethod                   NULL
1 3  0.2120 (0.0376)  S>C  Handshake
      Certificate
1 4  0.2120 (0.0000)  S>C  Handshake
      ServerKeyExchange
1 5  0.2120 (0.0000)  S>C  Handshake
      ServerHelloDone
1 6  0.2303 (0.0183)  C>S  Handshake
      ClientKeyExchange
        DiffieHellmanClientPublicValue[128]=
          bb 39 b2 be f7 46 dc 09 c8 c5 8b e8 94 85 b3 79
          83 f0 04 ba 0c 23 c3 de 36 eb b5 a0 20 fe a9 ec
          0b e2 a3 a9 ca b2 3b 5e 23 5c 9a e1 bf 9c bf 9b
          c6 18 d1 08 56 39 24 b5 82 f3 2c aa 9e 45 4d 88
          69 1f 13 b3 c0 98 1c ef 10 57 25 e1 48 e6 53 85
          af 65 7c 42 6c 2b d8 83 0b cf c3 9f 84 ce d5 a1
          b7 c2 4c 21 19 c7 89 f8 79 00 b6 59 b9 f5 f0 cd
          6b aa 55 9e 21 e4 38 96 0f bb 9d 14 fe 55 64 32
1 7  0.2490 (0.0187)  C>S  ChangeCipherSpec
1 8  0.2490 (0.0000)  C>S  Handshake
1 9  0.2685 (0.0194)  S>C  ChangeCipherSpec
1 10 0.2685 (0.0000)  S>C  Handshake
1 11 0.2708 (0.0022)  C>S  application_data
1 12 0.2909 (0.0201)  S>C  Handshake
1 13 0.2911 (0.0002)  C>S  Handshake
1    0.2930 (0.0018)  C>S  TCP FIN
New TCP connection #2: host1(45765) <-> host2(443)
2 1  0.0764 (0.0764)  C>S  Handshake

(log continues essentially the same for 6 TCP connections)



On Aug 15, 2010, at 4:47, David Kalnischkies wrote:

> 2010/8/14 Johannes Ernst <johannes.ernst@gmail.com>:
>> I have an apt https setup with client certs that has been working fine for lenny. After upgrading to squeeze, it fails. Has anything changed in the configuration? I'm not really able to find any relevant documentation ...
> 
> Do you have a public https source we could test against?
> 
> As far as i know we have no active developer using https
> so it is more or less untested unfortunately, so just
> a bunch of random thoughts from me:
> 
> The only maybe related change i can remember is that
> https config options if unset use their http equivalent if set.
> 
> Maybe try to increase the timeout used with the option
> Acquire::https::Timeout - default is 120 (=2 minutes).
> 
> Maybe Debug::Acquire::https=1 shows interesting stuff.
> 
> APT uses libcurl for its https stuff btw, so that it works with curl
> is an interesting information.
> 
> Oh and you might want to "reportbug" it as an important bug
> against apt-transport-https so it can't be forgotten in the mail archive.
> 
> 
> Best regards,
> 
> David Kalnischkies
Reply to: