Bug#703932: apt-transport-https not sending a certificate to the server
On Tue, Mar 26, 2013 at 06:46:15AM +0100, Michael Vogt wrote:
Good Morning,
I don't mind using gdb to step through the HttpsMethod::Fetch method but I
just don't know what kind of Fetch statement to paste into the stdin of the
transport. What would be the line to have the https transport attempt to
fetch my packages file?
> > I have configured apache to require client certificates, I have a CA,
> > a client key and client crt. I can use both curl and gnutls-cli to connect
> > to my server. I have configured apt to use these keys, in strace I see
> > that the ca.crt, client1.crt and client1.key are read. In the wireshark
> > trace I see that an empty "client" is sent to the server.
> [..]
> > $ aptitude update
> > ....
> > gnutls_handshake() failed: Handshake failed
> [..]
>
> Can you please run with Debug enabled?
> $ sudo apt-get update -o Debug::Acquire::https=1
I have the debug output already in a .conf.d file (as indicated in the original
mail).
> and see what that prints?
* About to connect() to HOST port PORT (#0)
* Trying IP...
* Connected to HOST (IP) port PORT (#0)
* found 1 certificates in /home/ich/cert/ca.crt
* gnutls_handshake() failed: Handshake failed
* Closing connection 0
that is really all. Until yesterday the first hit on google for this
issue was[1]. I don't see a resolution in this thread though.
One of the issues with the code is the lack of checking return values:
methods/https.cc
string key = _config->Find("Acquire::https::SslKey","");
knob = "Acquire::https::"+remotehost+"::SslKey";
key = _config->Find(knob.c_str(),key.c_str());
if(key.empty() == false)
curl_easy_setopt(curl, CURLOPT_SSLKEY, key.c_str());
curl_easy_setopt returns a a CURLcode, this is not checked in the
above code. So it might be (probably not) that curl already informs the caller
that there is something wrong with the key.
holger
[1] http://linux.derkeiler.com/Mailing-Lists/Debian/2011-06/msg02270.html
Reply to: