Bug#703932: apt-transport-https not sending a certificate to the server

[Holger Hans Peter Freyther <holger@freyther.de>]

On Tue, Mar 26, 2013 at 02:35:56PM +0100, Michael Vogt wrote:

Hi,


> But that is of course not very helpful. You mentioned that the
> gnutls-cli commandline works for you? Could you please provide the
> commandline you used? 

I tried with both curl and gnutls-cli:
$ curl --cacert ./ca.crt --key ./client1.key -E ./client1.crt \
	https://HOST:PORT/

$ gnutls-cli --x509cafile ca.crt  --x509keyfile client1.key  \
	--x509certfile   ./client1.crt -p PORT HOST

I have increased the level from your patch to six, and I printed
the return value of setting the Key/cert. I have looked into the
below '-----BEGIN RSA...' thing. My key does not state RSA/DSA
though. I have used "openssl rsa -in client1.key" to attempt to
generate a key that mentions RSA. This makes the output go away
but the error remains the same.

What I noticed is that the 'curl' binary is linking to OpenSSL
directly. So apt-transport-https and curl are most likely not
going through the same code paths for TLS. There doesn't appear
to be a curl-dbg package so there was no easy way to check if
OpenSSL is used for TLS. 

$ curl -2 ...
curl: (4) OpenSSL was built without SSLv2 support


So something between CURL and GNUtls is going wrong. Is there
a way to build the https transport to use OpenSSL? Or to have
a curl binary that is using GNUtls?

ideas?


Log Output:

CERT CODE 0
KEY CODE 0
* About to connect() to HOST port PORT (#13)
*   Trying IP...
Ign http://download.opensuse.org ./ Translation-en_US
99% [Working]* Connected to HOST (IP) port PORT (#13)
* found 1 certificates in /home/ich/cert/ca.crt
|<4>| REC[0x92df820]: Allocating epoch #0
|<2>| ASSERT: x509_b64.c:453
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:453
|<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
|<2>| ASSERT: privkey.c:387
|<2>| Falling back to PKCS #8 key decoding
|<2>| ASSERT: gnutls_constate.c:695
|<4>| REC[0x92df820]: Allocating epoch #1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_ARCFOUR_SHA1
|<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_ARCFOUR_MD5
|<2>| EXT[0x92df820]: Sending extension SERVER NAME (26 bytes)
|<2>| EXT[0x92df820]: Sending extension SAFE RENEGOTIATION (1 bytes)
|<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256
|<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1
|<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1
|<2>| EXT[0x92df820]: Sending extension SIGNATURE ALGORITHMS (10 bytes)
|<3>| HSK[0x92df820]: CLIENT HELLO was sent [142 bytes]
|<6>| BUF[HSK]: Inserted 142 bytes of Data
|<4>| REC[0x92df820]: Sending Packet[0] Handshake(22) with length: 142
|<4>| REC[0x92df820]: Sent Packet[1] Handshake(22) with length: 147
Ign http://download.opensuse.org ./ Translation-en
99% [Working]|<4>| REC[0x92df820]: Expected Packet[0] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[0] Handshake(22) with length: 85
|<4>| REC[0x92df820]: Decrypted Packet[0] Handshake(22) with length: 85
|<6>| BUF[HSK]: Inserted 85 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x92df820]: SERVER HELLO was received [85 bytes]
|<6>| BUF[REC][HD]: Read 81 bytes of Data(22)
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 81 bytes of Data
|<3>| HSK[0x92df820]: Server's version: 3.1
|<3>| HSK[0x92df820]: SessionID length: 32
|<3>| HSK[0x92df820]: SessionID: a7e8d3bd63f33820cb9f10e3e666c246a3caddd04662e279b51306d79746dd17
|<3>| HSK[0x92df820]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1
|<2>| EXT[0x92df820]: Parsing extension 'SERVER NAME/0' (0 bytes)
|<2>| EXT[0x92df820]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes)
|<3>| HSK[0x92df820]: Safe renegotiation succeeded
|<4>| REC[0x92df820]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[1] Handshake(22) with length: 2505
|<2>| ASSERT: gnutls_buffers.c:649
|<2>| ASSERT: gnutls_kx.c:694
|<4>| REC[0x92df820]: Expected Packet[1] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[1] Handshake(22) with length: 2505
|<4>| REC[0x92df820]: Decrypted Packet[1] Handshake(22) with length: 2505
|<6>| BUF[HSK]: Inserted 2505 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x92df820]: CERTIFICATE was received [2505 bytes]
|<6>| BUF[REC][HD]: Read 2501 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 227 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 2501 bytes of Data
|<2>| ASSERT: ext_signature.c:393
|<2>| ASSERT: ext_signature.c:393
|<4>| REC[0x92df820]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[2] Handshake(22) with length: 525
|<2>| ASSERT: gnutls_buffers.c:649
|<2>| ASSERT: gnutls_kx.c:382
|<4>| REC[0x92df820]: Expected Packet[2] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[2] Handshake(22) with length: 525
|<4>| REC[0x92df820]: Decrypted Packet[2] Handshake(22) with length: 525
|<6>| BUF[HSK]: Inserted 525 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x92df820]: SERVER KEY EXCHANGE was received [525 bytes]
|<6>| BUF[REC][HD]: Read 521 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 2505 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 521 bytes of Data
|<4>| REC[0x92df820]: Expected Packet[3] Handshake(22) with length: 1
|<4>| REC[0x92df820]: Received Packet[3] Handshake(22) with length: 163
|<4>| REC[0x92df820]: Decrypted Packet[3] Handshake(22) with length: 163
|<6>| BUF[HSK]: Inserted 163 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x92df820]: CERTIFICATE REQUEST was received [159 bytes]
|<6>| BUF[REC][HD]: Read 155 bytes of Data(22)
|<6>| BUF[HSK]: Peeked 525 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<6>| BUF[HSK]: Inserted 155 bytes of Data
|<2>| ASSERT: auth_cert.c:237
|<6>| BUF[REC][HD]: Read 1 bytes of Data(22)
|<6>| BUF[REC][HD]: Read 3 bytes of Data(22)
|<3>| HSK[0x92df820]: SERVER HELLO DONE was received [4 bytes]
|<6>| BUF[HSK]: Peeked 159 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<6>| BUF[HSK]: Inserted 4 bytes of Data
|<3>| HSK[0x92df820]: CERTIFICATE was sent [7 bytes]
|<6>| BUF[HSK]: Peeked 4 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<3>| HSK[0x92df820]: CLIENT KEY EXCHANGE was sent [134 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0x92df820]: Sending Packet[1] Handshake(22) with length: 7
|<4>| REC[0x92df820]: Sent Packet[2] Handshake(22) with length: 12
|<4>| REC[0x92df820]: Sending Packet[2] Handshake(22) with length: 134
|<4>| REC[0x92df820]: Sent Packet[3] Handshake(22) with length: 139
|<3>| REC[0x92df820]: Sent ChangeCipherSpec
|<4>| REC[0x92df820]: Sending Packet[3] Change Cipher Spec(20) with length: 1
|<4>| REC[0x92df820]: Sent Packet[4] Change Cipher Spec(20) with length: 6
|<4>| REC[0x92df820]: Initializing epoch #1
|<4>| REC[0x92df820]: Epoch #1 ready
|<3>| HSK[0x92df820]: Cipher Suite: DHE_RSA_AES_128_CBC_SHA1
|<3>| HSK[0x92df820]: Initializing internal [write] cipher sessions
|<4>| REC[0x92df820]: Start of epoch cleanup
|<4>| REC[0x92df820]: End of epoch cleanup
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<3>| HSK[0x92df820]: recording tls-unique CB (send)
|<3>| HSK[0x92df820]: FINISHED was sent [16 bytes]
|<6>| BUF[HSK]: Peeked 0 bytes of Data
|<6>| BUF[HSK]: Emptied buffer
|<4>| REC[0x92df820]: Sending Packet[0] Handshake(22) with length: 16
|<4>| REC[0x92df820]: Sent Packet[1] Handshake(22) with length: 133
|<2>| ASSERT: ext_session_ticket.c:710
|<2>| ASSERT: gnutls_handshake.c:2933
|<4>| REC[0x92df820]: Expected Packet[4] Change Cipher Spec(20) with length: 1
|<4>| REC[0x92df820]: Received Packet[4] Alert(21) with length: 2
|<4>| REC[0x92df820]: Decrypted Packet[4] Alert(21) with length: 2
|<4>| REC[0x92df820]: Alert[2|40] - Handshake failed - was received
|<2>| ASSERT: gnutls_record.c:726
|<2>| ASSERT: gnutls_record.c:1122
|<2>| ASSERT: gnutls_handshake.c:2933
|<2>| ASSERT: gnutls_handshake.c:3139
|<6>| BUF[HSK]: Cleared Data from buffer
* gnutls_handshake() failed: Handshake failed
* Closing connection 13
|<2>| ASSERT: gnutls_record.c:276
|<6>| BUF[HSK]: Cleared Data from buffer
|<4>| REC[0x92df820]: Epoch #0 freed
|<4>| REC[0x92df820]: Epoch #1 freed