touch-packages team mailing list archive

[Dimitri John Ledkov <launchpad@xxxxxxxxxxxx>]

Performing https configuration verfication on git.fedorahosted.org:

On Trusty 14.04 LTS, the default gnutls implementation is old 2.6 based:

$ gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero  | certtool --verify-chain
Certificate[0]: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
	Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Verifying against certificate[1].
	Verification output: Verified.

Certificate[1]: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issued by: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
certtool: the last certificate is not self signed

$ echo $?
1

It does not appear to verify the published chain.

Utopic 14.10 uses gnutls 3.x series by default:

# gnutls-cli -V --print-cert -p 443 git.fedorahosted.org </dev/zero  | certtool --verify-chain
*** Fatal error: Error in the certificate.
*** Handshake has failed
GnuTLS error: Error in the certificate.
Loaded 2 certificates, 1 CAs and 0 CRLs

	Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
	Output: Not verified. The certificate is NOT trusted. The certificate issuer is unknown. 

	Subject: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
	Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Output: Verified. The certificate is trusted. 

	Subject: C=US,ST=North Carolina,L=Raleigh,O=Red Hat Inc.,CN=*.fedorahosted.org
	Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Checked against: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert SHA2 High Assurance Server CA
	Output: Verified. The certificate is trusted. 

Chain verification output: Verified. The certificate is trusted.

(utopic-amd64)root@djledkov-mobl1:/tmp# echo $?
0

Which appears to be trusted. This looks odd, but not fatal as fresh
trusty-amd64 in a chroot does seem to be operating correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1397685

Title:
  git gnutls_handshake() failed: A TLS packet with unexpected length was
  received.

Status in git package in Ubuntu:
  New
Status in gnutls26 package in Ubuntu:
  New
Status in gnutls28 package in Ubuntu:
  New

Bug description:
  Platform: Ubuntu 14.04, ppc64le (Power 8 LE), git version: 1:1.9.1-1
  When accessing a public repository over HTTPS, I get the following error:
  $ git clone --no-checkout https://git.fedorahosted.org/git/lvm2.git lvm2
  Cloning into 'lvm2'...
  fatal: unable to access 'https://git.fedorahosted.org/git/lvm2.git/': gnutls_handshake() failed: A TLS packet with unexpected length was received.

  Accessing the same public repository from a different machine running
  in a different network - also Ubuntu 14.04, but running on x86-64, the
  commands executed with no errors. Both platforms have the same git
  version (dpkg -l | grep git)

  I checked online for an explanation. Found this:
  http://askubuntu.com/questions/186847/error-gnutls-handshake-falied-when-connecting-to-https-servers

  According to that, Gnu TLS may have some issues when proxies
  (firewalls?) are present on the network path to the repositories. The
  recommended solution is to rebuild git using OpenSSL instead of TLS. I
  tried it and got to a different error ("Unknown SSL protocol error").

  Can you please fix git to make it work correctly?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/1397685/+subscriptions