retitle 594150 regression in apt-transport-https interop with apt-cacher reassign 594150 gnutls26 thanks
> My interest is in reducing the RC bug count to get squeeze released. > So let me ask the questions: > > 1. There was a minor bug in curl now fixed upstream and in github; is > there really an RC bug here? > 2. If so, is it in curl or in apt-transport-https? Johannes' original bug report was (paraphrasing): a-t-h in Lenny worked with a particular apt-cacher configuration; a-t-h in Squeeze does not. Johannes believes this to have grave severity and nobody has contradicted that. According to Neil Williams and Daniel Silverstone (see <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594150#54>), the bug is probably in gnutls26, if anything; the curl bug that Daniel Stenberg recently fixed was just obscuring the cause of failure, by causing a misleading error message. I've moved the curl upstream and Debian maintainers to Bcc so they'll get this message but not its replies, since this doesn't seem to be a curl issue. Thanks for your help! On Sun, 14 Nov 2010 at 17:07:24 +0000, Neil Williams wrote: > gnutls-cli --insecure -p 443 > --x509certfile /etc/apt/client-certs/test-client.apt-test.aviatis.com.crt > --x509keyfile /etc/apt/client-certs/test-client.apt-test.aviatis.com.key > apt-test.aviatis.com [...] > *** Non fatal error: Rehandshake was requested by the peer. > *** Received rehandshake request > *** Fatal error: Unsafe renegotiation denied. > *** Rehandshake Failed. That sounds to me as though it might be fallout from CVE-2009-3555. I've reassigned this to gnutls in the hope that one of its maintainers can shed some light on it - if this isn't gnutls' fault, please reassign or close as appropriate. Johannes, how exactly are you running apt-cacher? Is it running as a CGI or a standalone server or what? Could you publish the configuration of your (very useful) test server somewhere? In particular, if Apache is involved in serving the cache, where do the SSLVerifyClient and SSLCipherSuite directives appear in your server's configuration, and is it as recommended in <http://www.debian.org/security/2009/dsa-1934>? Thanks, Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
