Performing https configuration verfication on git.fedorahosted.org:
On Trusty 14.04 LTS, the default gnutls implementation is old 2.6 based:
$ gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero | certtool
--verify-chain
Certificate[0]: C=US,ST=North Carolina,L=Raleigh,O=Red Hat
Inc.,CN=*.fedorahosted.org
Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2
High Assurance Server CA
Verifying against certificate[1].
Verification output: Verified.
Certificate[1]: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High
Assurance Server CA
Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2
High Assurance Server CA
certtool: the last certificate is not self signed
$ echo $?
1
It does not appear to verify the published chain.
Utopic 14.10 uses gnutls 3.x series by default:
# gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero | certtool
--verify-chain
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Loaded 2 certificates, 1 CAs and 0 CRLs
Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High
Assurance Server CA
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High
Assurance EV Root CA
Output: Not verified. The certificate is NOT trusted. The certificate
issuer is unknown.
Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High
Assurance Server CA
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High
Assurance EV Root CA
Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert
SHA2 High Assurance Server CA
Output: Verified. The certificate is trusted.
Subject: C=US,ST=North Carolina,L=Raleigh,O=Red Hat
Inc.,CN=*.fedorahosted.org
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High
Assurance Server CA
Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert
SHA2 High Assurance Server CA
Output: Verified. The certificate is trusted.
Chain verification output: Verified. The certificate is trusted.
(utopic-amd64)root@djledkov-mobl1:/tmp# echo $?
0
Which appears to be trusted. This looks odd, but not fatal as fresh
trusty-amd64 in a chroot does seem to be operating correctly.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1397685
Title:
git gnutls_handshake() failed: A TLS packet with unexpected length was
received.
Status in git package in Ubuntu:
New
Status in gnutls26 package in Ubuntu:
New
Status in gnutls28 package in Ubuntu:
New
Bug description:
Platform: Ubuntu 14.04, ppc64le (Power 8 LE), git version: 1:1.9.1-1
When accessing a public repository over HTTPS, I get the following error:
$ git clone --no-checkout https://git.fedorahosted.org/git/lvm2.git lvm2
Cloning into 'lvm2'...
fatal: unable to access 'https://git.fedorahosted.org/git/lvm2.git/':
gnutls_handshake() failed: A TLS packet with unexpected length was received.
Accessing the same public repository from a different machine running
in a different network - also Ubuntu 14.04, but running on x86-64, the
commands executed with no errors. Both platforms have the same git
version (dpkg -l | grep git)
I checked online for an explanation. Found this:
http://askubuntu.com/questions/186847/error-gnutls-handshake-falied-when-connecting-to-https-servers
According to that, Gnu TLS may have some issues when proxies
(firewalls?) are present on the network path to the repositories. The
recommended solution is to rebuild git using OpenSSL instead of TLS. I
tried it and got to a different error ("Unknown SSL protocol error").
Can you please fix git to make it work correctly?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1397685/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
