On Sun, Mar 31, 2013 at 02:36:46PM +0200, Holger Hans Peter Freyther wrote: > On Tue, Mar 26, 2013 at 02:35:56PM +0100, Michael Vogt wrote: > > Hi, Hi, thanks for the updated information!
> > But that is of course not very helpful. You mentioned that the > > gnutls-cli commandline works for you? Could you please provide the > > commandline you used? > > I tried with both curl and gnutls-cli: > $ curl --cacert ./ca.crt --key ./client1.key -E ./client1.crt \ > https://HOST:PORT/ > > $ gnutls-cli --x509cafile ca.crt --x509keyfile client1.key \ > --x509certfile ./client1.crt -p PORT HOST > > I have increased the level from your patch to six, and I printed > the return value of setting the Key/cert. I have looked into the > below '-----BEGIN RSA...' thing. My key does not state RSA/DSA > though. I have used "openssl rsa -in client1.key" to attempt to > generate a key that mentions RSA. This makes the output go away > but the error remains the same. > > What I noticed is that the 'curl' binary is linking to OpenSSL > directly. So apt-transport-https and curl are most likely not > going through the same code paths for TLS. There doesn't appear > to be a curl-dbg package so there was no easy way to check if > OpenSSL is used for TLS. [..] Indeed, a-t-https and curl will have different code pathes. But its interessting that gnutls-cli worked for you, so it appears that something in the libcurl (or apt-t-https) version with gnutls is not using the API correctly. > So something between CURL and GNUtls is going wrong. Is there > a way to build the https transport to use OpenSSL? Or to have > a curl binary that is using GNUtls? You can rebuild apt with the following patch to get a openssl based https. And a "sudo apt-get install libcurl4-openssl-dev" of course :) === modified file 'debian/control' --- debian/control 2013-03-25 07:56:42 +0000 +++ debian/control 2013-04-02 05:09:28 +0000 @@ -7,7 +7,7 @@ Julian Andres Klode <j...@debian.org> Standards-Version: 3.9.3 Build-Depends: dpkg-dev (>= 1.15.8), debhelper (>= 8.1.3~), libdb-dev, - gettext (>= 0.12), libcurl4-gnutls-dev (>= 7.19.0), + gettext (>= 0.12), libcurl4-openssl-dev (>= 7.19.0), zlib1g-dev, libbz2-dev, xsltproc, docbook-xsl, docbook-xml, po4a (>= 0.34-2), autotools-dev, autoconf, automake Build-Depends-Indep: doxygen, debiandoc-sgml I wouldn't be suprised if that would solve your problem. But solving it with gnutls would be prefered. Cheers, Michael > Log Output: > > CERT CODE 0 > KEY CODE 0 > * About to connect() to HOST port PORT (#13) > * Trying IP... [..] > |<3>| HSK[0x92df820]: FINISHED was sent [16 bytes] > |<6>| BUF[HSK]: Peeked 0 bytes of Data > |<6>| BUF[HSK]: Emptied buffer > |<4>| REC[0x92df820]: Sending Packet[0] Handshake(22) with length: 16 > |<4>| REC[0x92df820]: Sent Packet[1] Handshake(22) with length: 133 > |<2>| ASSERT: ext_session_ticket.c:710 > |<2>| ASSERT: gnutls_handshake.c:2933 > |<4>| REC[0x92df820]: Expected Packet[4] Change Cipher Spec(20) with length: 1 > |<4>| REC[0x92df820]: Received Packet[4] Alert(21) with length: 2 > |<4>| REC[0x92df820]: Decrypted Packet[4] Alert(21) with length: 2 > |<4>| REC[0x92df820]: Alert[2|40] - Handshake failed - was received > |<2>| ASSERT: gnutls_record.c:726 > |<2>| ASSERT: gnutls_record.c:1122 > |<2>| ASSERT: gnutls_handshake.c:2933 > |<2>| ASSERT: gnutls_handshake.c:3139 > |<6>| BUF[HSK]: Cleared Data from buffer > * gnutls_handshake() failed: Handshake failed > * Closing connection 13 [..] Do you have anything on the server side that indiciates what might have gone wrong? Cheers, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
