On Tue, Aug 26, 2025 at 06:48:33PM +0200, Gregor Jasny wrote: > Package: apt-transport-https > Version: 3.1.4 > Severity: normal > X-Debbugs-Cc: [email protected] > > Hello, > > there seems to be a regression in Trixie (probably since the switch > to OpenSSL) in the CAInfo handling. > > I created a reproducer here: > https://salsa.debian.org/gjasny-guest/debian-apt-cafile > > Copy for the archive: > --- > FROM debian:13 > ENV DEBIAN_FRONTEND=noninteractive > RUN sed -i'' -e 's,http://deb.debian.org,https://debian.inf.tu-dresden.de,g' > /etc/apt/sources.list.d/debian.sources > ADD rootca.pem /etc/rootca.pem > RUN echo 'Acquire::https::debian.inf.tu-dresden.de::CAInfo > "/etc/rootca.pem";' > /etc/apt/apt.conf.d/99-root-ca > RUN apt-get update > RUN apt-get install -y ca-certificates > --- > > It works with Debian 12 and fails with Debian 13. (I need that functionality > for a company internal APT repository, not debian.inf.tu-dresden.de.) > > Could please take a look what's happening?
The file is being loaded by SSL_CTX_load_verify_file(), the rest is OpenSSL's doing. I do not have further information. Please note that we generally do not ship stable updates for APT, so any fix will only be available in Debian 14 - please test your use cases before a release to ensure you can use the next release. (release team approval for stable updates is hard to get) -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
