Testing in a Squeeze pbuilder login with unchanged packages: Downloaded from http://apt-test.aviatis.com/
r...@dwarf:~# ls /etc/apt/client-certs/ client.apt-test.aviatis.com.crt client.apt-test.aviatis.com.key r...@dwarf:~# cat /etc/apt/sources.list deb http://ftp.uk.debian.org/debian/ testing main deb-src http://ftp.uk.debian.org/debian/ testing main deb https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze main r...@dwarf:~# cat /etc/apt/apt.conf.d/client-cert Acquire { https { Verify-Peer "false"; CaPath "/etc/ssl/certs"; Verify-Host "false"; AllowRedirect "true"; SslCert "/etc/apt/client-certs/client.apt-test.aviatis.com.crt"; SslKey "/etc/apt/client-certs/client.apt-test.aviatis.com.key"; SslForceVersion "SSLv3"; // This is required to get it to work in lenny; not sure why. } } (Note the revealing comment about the ForceVersion - this turns out to be important.) Tested using: apt-transport-https 0.8.8 r...@dwarf:~# apt-get update Hit http://ftp.uk.debian.org testing Release.gpg Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en Hit http://ftp.uk.debian.org testing Release Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com squeeze Release.gpg Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en Ign https://apt-test.aviatis.com squeeze Release Ign https://apt-test.aviatis.com squeeze/main amd64 Packages Err https://apt-test.aviatis.com squeeze/main amd64 Packages SSL connection timeout W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz SSL connection timeout E: Some index files failed to download, they have been ignored, or old ones used instead. Install the patched update NMU packages: r...@dwarf:~# dpkg -i ../curl_7.21.0-1.1_amd64.deb ../libcurl3_7.21.0-1.1_amd64.deb ../libcurl3-gnutls_7.21.0-1.1_amd64.deb (Reading database ... 12732 files and directories currently installed.) Preparing to replace curl 7.21.0-1 (using ../curl_7.21.0-1.1_amd64.deb) ... Unpacking replacement curl ... Preparing to replace libcurl3 7.21.0-1 (using .../libcurl3_7.21.0-1.1_amd64.deb) ... Unpacking replacement libcurl3 ... Preparing to replace libcurl3-gnutls 7.21.0-1 (using .../libcurl3-gnutls_7.21.0-1.1_amd64.deb) ... Unpacking replacement libcurl3-gnutls ... Setting up libcurl3 (7.21.0-1.1) ... Setting up libcurl3-gnutls (7.21.0-1.1) ... Setting up curl (7.21.0-1.1) ... test: r...@dwarf:~# apt-get update Hit http://ftp.uk.debian.org testing Release.gpg Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en Hit http://ftp.uk.debian.org testing Release Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex Get:1 https://apt-test.aviatis.com squeeze Release.gpg [835 B] Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en Get:2 https://apt-test.aviatis.com squeeze Release [89.9 kB] Get:3 https://apt-test.aviatis.com squeeze/main amd64 Packages [6562 kB] Fetched 6653 kB in 52s (126 kB/s) Reading package lists... Done The results with apt-get update are reproducible, yet calls to the underlying utilities would give the impression that nothing has changed. e.g. # gnutls-cli -V --insecure -p 433 --x509certfile /etc/apt/client-certs/client.apt-test.aviatis.com.crt --x509keyfile /etc/apt/client-certs/client.apt-test.aviatis.com.key apt-test.aviatis.com Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'apt-test.aviatis.com'... Connecting to '204.145.147.227:433'... Cannot connect to apt-test.aviatis.com:433: Connection timed out No change with the patched package. whilst curl works fine (with and without the change) curl -v -k https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/Release --cert /etc/apt/client-certs/client.apt-test.aviatis.com.crt --key /etc/apt/client-certs/client.apt-test.aviatis.com.key Then with a sid pbuilder login without any patches: ii apt-transport-https 0.8.10 r...@dwarf:/etc/apt/client-certs# apt-get update Hit http://ftp.fr.debian.org sid Release.gpg Ign http://ftp.fr.debian.org/debian/ sid/main Translation-en Hit http://ftp.fr.debian.org sid Release Hit http://ftp.fr.debian.org sid/main Sources/DiffIndex Hit http://ftp.fr.debian.org sid/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com squeeze Release.gpg Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en Ign https://apt-test.aviatis.com squeeze Release Ign https://apt-test.aviatis.com squeeze/main amd64 Packages Err https://apt-test.aviatis.com squeeze/main amd64 Packages SSL connection timeout W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz SSL connection timeout E: Some index files failed to download, they have been ignored, or old ones used instead. Same results for the curl and gnutls test commands as in Squeeze (patched or not). More light is shed when the /etc/apt/apt.conf.d/client-cert is edited to remove the line forcing SSHv3: With the patched packages installed: r...@dwarf:~# cat /etc/apt/apt.conf.d/client-cert Acquire { https { Verify-Peer "false"; CaPath "/etc/ssl/certs"; Verify-Host "false"; AllowRedirect "true"; SslCert "/etc/apt/client-certs/client.apt-test.aviatis.com.crt"; SslKey "/etc/apt/client-certs/client.apt-test.aviatis.com.key"; } } r...@dwarf:~# apt-get update Hit http://ftp.uk.debian.org testing Release.gpg Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en Hit http://ftp.uk.debian.org testing Release Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex Ign https://apt-test.aviatis.com squeeze Release.gpg Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en Ign https://apt-test.aviatis.com squeeze Release Ign https://apt-test.aviatis.com squeeze/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com squeeze/main amd64 Packages Err https://apt-test.aviatis.com squeeze/main amd64 Packages gnutls_handshake() failed: Decryption has failed. W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz gnutls_handshake() failed: Decryption has failed. E: Some index files failed to download, they have been ignored, or old ones used instead. handshake blamed with the patch r...@dwarf:~# dpkg -l | grep curl ii curl 7.21.0-1.1 Get a file from an HTTP, HTTPS or FTP server ii libcurl3 7.21.0-1.1 Multi-protocol file transfer library (OpenSSL) ii libcurl3-gnutls 7.21.0-1.1 Multi-protocol file transfer library (GnuTLS) Downgrading back to Squeeze: Setting up libcurl3 (7.21.0-1) ... Setting up curl (7.21.0-1) ... Setting up libcurl3-gnutls (7.21.0-1) ... r...@dwarf:~# apt-get update Hit http://ftp.uk.debian.org testing Release.gpg Ign http://ftp.uk.debian.org/debian/ testing/main Translation-en Hit http://ftp.uk.debian.org testing Release Hit http://ftp.uk.debian.org testing/main Sources/DiffIndex Hit http://ftp.uk.debian.org testing/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com squeeze Release.gpg Ign https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/ squeeze/main Translation-en Ign https://apt-test.aviatis.com squeeze Release Ign https://apt-test.aviatis.com squeeze/main amd64 Packages/DiffIndex Ign https://apt-test.aviatis.com squeeze/main amd64 Packages Err https://apt-test.aviatis.com squeeze/main amd64 Packages SSL connection timeout W: Failed to fetch https://apt-test.aviatis.com/apt-cacher/ftp.us.debian.org/debian/dists/squeeze/main/binary-amd64/Packages.gz SSL connection timeout E: Some index files failed to download, they have been ignored, or old ones used instead. timeout blamed without the patch. So the patch certainly has the effect of making the test apt source usable under the original test conditions and it remains unusable without the patch or with packages from unstable but it leaves me uncertain about how much of this is down to the specific configuration of these test conditions. (All testing of this bug has involved this one test configuration.) It works but I'd be happier if someone could explain what is actually happening and why.... -- Neil Williams ============= http://www.linux.codehelp.co.uk/
pgpmMfUZuERaj.pgp
Description: PGP signature
