Univention Bugzilla – Bug 39603
apt-transport-https does not handle wildcard certificates - libcurl
Last modified: 2015-11-17 12:12:15 CET
Created attachment 7216 [details] pcap ( echo 600 URI Acquire echo URI: https://updates.software-univention.de/robots.txt echo Filename: /tmp/robots.txt echo sleep 3 ) | /usr/lib/apt/methods/https 400 URI Failure URI: https://updates.software-univention.de/welcome.msg Message: gnutls_handshake() failed: A TLS warning alert has been received. :|gnutls-cli -p 443 updates.software-univention.de|grep -oim1 cn=[^,]* *** Non fatal error: A TLS warning alert has been received. CN=*.software-univention.de' CN=COMODO RSA Organization Validation Secure Server CA' libcurl-gnutls as used by APT does treat the alerts during the handshake as a fatal error: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685402 https://github.com/bagder/curl/commit/ee3551e45e60856eb0b779aa6cd34d77f16208a5 https://github.com/bagder/curl/commit/2045d83dd3f478f7bb8ef86959a82c96235b2bca https://github.com/bagder/curl/commit/41eec4efa2a8c653973b25240c5cda81bb12e26f This happens because <https://updates.software-univention.de/> doesn't recognize the name "updates.software-univention.de" for some reason: - SNI not working? <https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI>
A modified version of the patches was applied to curl_7.26.0-1+wheezy13. A full upload is required, as curl is unpatchable: curl_7.26.0-1+wheezy13+ucs1 - debian/rules assumes the last two patches to be "nss" and "gnutls"; they are reverted during build to build 3 variants in total: w/o all, with nss, with GnuTLS. - our repo-NG build system breaks, if a UCS patch is not applied last in the debian/patches/series file: - the source package is unpacked - all Debian patches are applied - repo-ng then applies the UCS specific patches - the Debian patches are un-applied - this stops since the "debian/patches/series" file no longer matches ".pc/applied-patches" - a unclean source package is generated - the partly reverted Debian patches are re-applied - the build of the binary package on i386 succeeds - the amd64 builder unpacks the unclean source package and fails # repo_admin.py -F -p curl -r 4.1-0-0 Package: curl Version: 7.26.0-1+ucs1.62.201510202012 Branch: ucs_4.1-0 r64643 | Bug #39603 GnuTLS: Ignore non-fatal alerts The package <package>cURL</package> treated warning alerts as fatal during the TLS handshake, which prevented connecting to some <systemitem class="protocol">https://</systemitem> servers using <acronym lang="">SNI</acronym> (<u:bug>39603</u:bug>). (In reply to Philipp Hahn from comment #0) ... > This happens because <https://updates.software-univention.de/> doesn't > recognize the name "updates.software-univention.de" for some reason: > - SNI not working? > <https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI> /etc/apache2/sites-enabled/00_univention:49 ServerName *.software-univention.de To quote from <https://httpd.apache.org/docs/2.2/en/mod/core.html#serveralias>: > The ServerAlias *may* *include* *wildcards*, if appropriate and <https://httpd.apache.org/docs/2.2/en/mod/core.html#servername>: > ServerName [scheme://]fully-qualified-domain-name[:port] ServerName *must* be the *canonical* *FQDN* which Apache uses to name itself (for example for re-directs). The *wildcard* *must* go to ServerAlias! As "updates.software-univention.de" is not registered explicitly for that VirtualHost, this breaks SNI!
(In reply to Philipp Hahn from comment #1) > A full upload is required, as curl is unpatchable: > curl_7.26.0-1+wheezy13+ucs1 repo_admin.py broke that version while stripping the '+wheezy13' part. Re-uploaded as wheezy14. Package: curl Version: 7.26.0-1.63.201510202222 Branch: ucs_4.1-0
root@master94:~# dpkg-query -W libcurl3-gnutls libcurl3-gnutls:amd64 7.26.0-1.63.201510202222 root@master94:~# gnutls-cli -p 443 updates.software-univention.de|grep -oim1 cn=[^,]* CN=*.software-univention.de' CN=COMODO RSA Organization Validation Secure Server CA' ^C root@master94:~# ( echo 600 URI Acquire; echo URI: https://updates.software-univention.de/robots.txt; echo Filename: /tmp/robots.txt; echo; sleep 3; ) | /usr/lib/apt/methods/https 100 Capabilities Version: 1.2 Pipeline: true Send-Config: true 200 URI Start URI: https://updates.software-univention.de/robots.txt Size: 1 201 URI Done URI: https://updates.software-univention.de/robots.txt Filename: /tmp/robots.txt Size: 24 Last-Modified: Wed, 16 May 2007 06:46:43 GMT MD5-Hash: b6216d61c03e6ce0c9aea6ca7808f7ca MD5Sum-Hash: b6216d61c03e6ce0c9aea6ca7808f7ca SHA1-Hash: c47ccf1a49c24cc5842430aa75c72ef491292412 SHA256-Hash: e5c4b84484ee4216e9373be99380320c25dd94805f99f0a805846f087636553f SHA512-Hash: 4bfadbddc0c0a2ddbaf36b7e6b3bb725b37e6b0893c034f29bfb18a27e202c0734c561e66c5879c0774153ea92f4f519421f24e2d39d8fb4819069f3b2242645 OK: functional test OK: correct version in UCS 4.1 OK: version of 4.1-0 contains fixes OK: changelog.xml
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".