Marco Amadori <amado...@vdavda.com> writes: > Package: libgnutls26 > Severity: important > Version: 2.4.2-6+lenny1 > Tags: lenny > > When using apt-transport-https to fetch packages from a https web server > configured with required client authentication (apt options Acquire:: > {CaInfo,SslCert,SslKey}), an apt-operation will fail with misleading message: > > ---- * ---- > # apt-get update > [...] > Err https://debian.<privateurl> lenny/main Packages > Sub-process bzip2 returned an error code (2) > Fetched 140B in 0s (248B/s) > W: GPG error: https://debian.<privateurl> lenny Release: The following > signatures were invalid: NODATA 1 NODATA 2 > W: Failed to fetch https://debian.<privateurl>/debian/dists/lenny/main/binary- > i386/Packages.bz2 Sub-process bzip2 returned an error code (2) > > E: Some index files failed to download, they have been ignored, or old ones > used instead. > ---- * ---- > > Upgrading to libgnutls26 to sid's 2.6.5-1 fixes the problem. > > If I disable client authentication on the web server, leaving just https > server authentication (via the cacert), it works even with lenny's version. > > This bug should be probably mentioned on apt-transport-https bug entries too > since the error reported is misleading and since testing curl via command > line > with --cacert, --cert and --key just works (with the same .pem files > specified > in apt.conf*.)
Can you get apt-transport-https to generate debug logs? If there isn't code in it already, you may need to add something like this: static void tls_log_func (int level, const char *str) { fprintf (stderr, "|<%d>| %s", level, str); } gnutls_global_set_log_function (tls_log_func); gnutls_global_set_log_level (4711); It is difficult to debug this further without the information printed by the gnutls log. Thanks, /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org