On Tue, Mar 26, 2013 at 02:35:56PM +0100, Michael Vogt wrote: Hi,
> But that is of course not very helpful. You mentioned that the > gnutls-cli commandline works for you? Could you please provide the > commandline you used? I tried with both curl and gnutls-cli: $ curl --cacert ./ca.crt --key ./client1.key -E ./client1.crt \ https://HOST:PORT/ $ gnutls-cli --x509cafile ca.crt --x509keyfile client1.key \ --x509certfile ./client1.crt -p PORT HOST I have increased the level from your patch to six, and I printed the return value of setting the Key/cert. I have looked into the below '-----BEGIN RSA...' thing. My key does not state RSA/DSA though. I have used "openssl rsa -in client1.key" to attempt to generate a key that mentions RSA. This makes the output go away but the error remains the same. What I noticed is that the 'curl' binary is linking to OpenSSL directly. So apt-transport-https and curl are most likely not going through the same code paths for TLS. There doesn't appear to be a curl-dbg package so there was no easy way to check if OpenSSL is used for TLS. $ curl -2 ... curl: (4) OpenSSL was built without SSLv2 support So something between CURL and GNUtls is going wrong. Is there a way to build the https transport to use OpenSSL? Or to have a curl binary that is using GNUtls? ideas? Log Output: CERT CODE 0 KEY CODE 0 * About to connect() to HOST port PORT (#13) * Trying IP... Ign http://download.opensuse.org ./ Translation-en_US 99% [Working]* Connected to HOST (IP) port PORT (#13) * found 1 certificates in /home/ich/cert/ca.crt |<4>| REC[0x92df820]: Allocating epoch #0 |<2>| ASSERT: x509_b64.c:453 |<2>| Could not find '-----BEGIN RSA PRIVATE KEY' |<2>| ASSERT: x509_b64.c:453 |<2>| Could not find '-----BEGIN DSA PRIVATE KEY' |<2>| ASSERT: privkey.c:387 |<2>| Falling back to PKCS #8 key decoding |<2>| ASSERT: gnutls_constate.c:695 |<4>| REC[0x92df820]: Allocating epoch #1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_128_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_AES_256_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_128_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_AES_256_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_3DES_EDE_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: DHE_DSS_ARCFOUR_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_128_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_CAMELLIA_128_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_AES_256_CBC_SHA256 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_CAMELLIA_256_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_3DES_EDE_CBC_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_ARCFOUR_SHA1 |<3>| HSK[0x92df820]: Keeping ciphersuite: RSA_ARCFOUR_MD5 |<2>| EXT[0x92df820]: Sending extension SERVER NAME (26 bytes) |<2>| EXT[0x92df820]: Sending extension SAFE RENEGOTIATION (1 bytes) |<2>| EXT[SIGA]: sent signature algo (4.2) DSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (4.1) RSA-SHA256 |<2>| EXT[SIGA]: sent signature algo (2.1) RSA-SHA1 |<2>| EXT[SIGA]: sent signature algo (2.2) DSA-SHA1 |<2>| EXT[0x92df820]: Sending extension SIGNATURE ALGORITHMS (10 bytes) |<3>| HSK[0x92df820]: CLIENT HELLO was sent [142 bytes] |<6>| BUF[HSK]: Inserted 142 bytes of Data |<4>| REC[0x92df820]: Sending Packet[0] Handshake(22) with length: 142 |<4>| REC[0x92df820]: Sent Packet[1] Handshake(22) with length: 147 Ign http://download.opensuse.org ./ Translation-en 99% [Working]|<4>| REC[0x92df820]: Expected Packet[0] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[0] Handshake(22) with length: 85 |<4>| REC[0x92df820]: Decrypted Packet[0] Handshake(22) with length: 85 |<6>| BUF[HSK]: Inserted 85 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x92df820]: SERVER HELLO was received [85 bytes] |<6>| BUF[REC][HD]: Read 81 bytes of Data(22) |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 81 bytes of Data |<3>| HSK[0x92df820]: Server's version: 3.1 |<3>| HSK[0x92df820]: SessionID length: 32 |<3>| HSK[0x92df820]: SessionID: a7e8d3bd63f33820cb9f10e3e666c246a3caddd04662e279b51306d79746dd17 |<3>| HSK[0x92df820]: Selected cipher suite: DHE_RSA_AES_128_CBC_SHA1 |<2>| EXT[0x92df820]: Parsing extension 'SERVER NAME/0' (0 bytes) |<2>| EXT[0x92df820]: Parsing extension 'SAFE RENEGOTIATION/65281' (1 bytes) |<3>| HSK[0x92df820]: Safe renegotiation succeeded |<4>| REC[0x92df820]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[1] Handshake(22) with length: 2505 |<2>| ASSERT: gnutls_buffers.c:649 |<2>| ASSERT: gnutls_kx.c:694 |<4>| REC[0x92df820]: Expected Packet[1] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[1] Handshake(22) with length: 2505 |<4>| REC[0x92df820]: Decrypted Packet[1] Handshake(22) with length: 2505 |<6>| BUF[HSK]: Inserted 2505 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x92df820]: CERTIFICATE was received [2505 bytes] |<6>| BUF[REC][HD]: Read 2501 bytes of Data(22) |<6>| BUF[HSK]: Peeked 227 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 2501 bytes of Data |<2>| ASSERT: ext_signature.c:393 |<2>| ASSERT: ext_signature.c:393 |<4>| REC[0x92df820]: Expected Packet[2] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[2] Handshake(22) with length: 525 |<2>| ASSERT: gnutls_buffers.c:649 |<2>| ASSERT: gnutls_kx.c:382 |<4>| REC[0x92df820]: Expected Packet[2] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[2] Handshake(22) with length: 525 |<4>| REC[0x92df820]: Decrypted Packet[2] Handshake(22) with length: 525 |<6>| BUF[HSK]: Inserted 525 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x92df820]: SERVER KEY EXCHANGE was received [525 bytes] |<6>| BUF[REC][HD]: Read 521 bytes of Data(22) |<6>| BUF[HSK]: Peeked 2505 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 521 bytes of Data |<4>| REC[0x92df820]: Expected Packet[3] Handshake(22) with length: 1 |<4>| REC[0x92df820]: Received Packet[3] Handshake(22) with length: 163 |<4>| REC[0x92df820]: Decrypted Packet[3] Handshake(22) with length: 163 |<6>| BUF[HSK]: Inserted 163 bytes of Data(22) |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x92df820]: CERTIFICATE REQUEST was received [159 bytes] |<6>| BUF[REC][HD]: Read 155 bytes of Data(22) |<6>| BUF[HSK]: Peeked 525 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<6>| BUF[HSK]: Inserted 155 bytes of Data |<2>| ASSERT: auth_cert.c:237 |<6>| BUF[REC][HD]: Read 1 bytes of Data(22) |<6>| BUF[REC][HD]: Read 3 bytes of Data(22) |<3>| HSK[0x92df820]: SERVER HELLO DONE was received [4 bytes] |<6>| BUF[HSK]: Peeked 159 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<6>| BUF[HSK]: Inserted 4 bytes of Data |<3>| HSK[0x92df820]: CERTIFICATE was sent [7 bytes] |<6>| BUF[HSK]: Peeked 4 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<3>| HSK[0x92df820]: CLIENT KEY EXCHANGE was sent [134 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[0x92df820]: Sending Packet[1] Handshake(22) with length: 7 |<4>| REC[0x92df820]: Sent Packet[2] Handshake(22) with length: 12 |<4>| REC[0x92df820]: Sending Packet[2] Handshake(22) with length: 134 |<4>| REC[0x92df820]: Sent Packet[3] Handshake(22) with length: 139 |<3>| REC[0x92df820]: Sent ChangeCipherSpec |<4>| REC[0x92df820]: Sending Packet[3] Change Cipher Spec(20) with length: 1 |<4>| REC[0x92df820]: Sent Packet[4] Change Cipher Spec(20) with length: 6 |<4>| REC[0x92df820]: Initializing epoch #1 |<4>| REC[0x92df820]: Epoch #1 ready |<3>| HSK[0x92df820]: Cipher Suite: DHE_RSA_AES_128_CBC_SHA1 |<3>| HSK[0x92df820]: Initializing internal [write] cipher sessions |<4>| REC[0x92df820]: Start of epoch cleanup |<4>| REC[0x92df820]: End of epoch cleanup |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<3>| HSK[0x92df820]: recording tls-unique CB (send) |<3>| HSK[0x92df820]: FINISHED was sent [16 bytes] |<6>| BUF[HSK]: Peeked 0 bytes of Data |<6>| BUF[HSK]: Emptied buffer |<4>| REC[0x92df820]: Sending Packet[0] Handshake(22) with length: 16 |<4>| REC[0x92df820]: Sent Packet[1] Handshake(22) with length: 133 |<2>| ASSERT: ext_session_ticket.c:710 |<2>| ASSERT: gnutls_handshake.c:2933 |<4>| REC[0x92df820]: Expected Packet[4] Change Cipher Spec(20) with length: 1 |<4>| REC[0x92df820]: Received Packet[4] Alert(21) with length: 2 |<4>| REC[0x92df820]: Decrypted Packet[4] Alert(21) with length: 2 |<4>| REC[0x92df820]: Alert[2|40] - Handshake failed - was received |<2>| ASSERT: gnutls_record.c:726 |<2>| ASSERT: gnutls_record.c:1122 |<2>| ASSERT: gnutls_handshake.c:2933 |<2>| ASSERT: gnutls_handshake.c:3139 |<6>| BUF[HSK]: Cleared Data from buffer * gnutls_handshake() failed: Handshake failed * Closing connection 13 |<2>| ASSERT: gnutls_record.c:276 |<6>| BUF[HSK]: Cleared Data from buffer |<4>| REC[0x92df820]: Epoch #0 freed |<4>| REC[0x92df820]: Epoch #1 freed -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org