FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-27-2011, 03:00 PM
Mel Collins
 
Default apt-transport-https not sending client certificate

Hi all,
I'm having a frustrating time trying to get apt to connect to a
(local) server using SSL client certificate authentication.

My apt config file looks like this:
Acquire {
https {
localhost {
Verify-Peer "true";
Verify-Host "true";
CaInfo "/tmp/certs/ca/ca.crt";

SslCert "/tmp/certs/client.crt";
SslKey "/tmp/certs/client.key";
};
};
};
(the server uses a certificate from a self-signed CA, hence the CaInfo)
The sources.list line is:
deb https://localhost:8443/deb test foo bar

Yet when I try an `aptitude update`, the server complains that no
client certificate was supplied ("SSL3_GET_CLIENT_CERTIFICATEeer did
not return a certificate"). Thence, with the debug option turned on,
aptitude says:
* gnutls_handshake() failed: Error in the push function.

I've checked using Wireshark and, indeed, the client doesn't supply
any certificate during the SSL handshake ("Handshake protocol:
Certificate | Certificates length: 0").

I can run:
$ curl --insecure --cert "certs/client.crt" --key "certs/client.key"
--include "https://localhost:8443/"
or
$ gnutls-cli -V --insecure -p 8443 --x509certfile certs/client.crt
--x509keyfile certs/client.key 127.0.0.1
and in both cases the same client certificate gets sent, and accepted
by the server.

I've been working mostly with Ubuntu 10.04 (apt 0.7.25.3ubuntu9.5),
but the behaviour is the same using the latest apt in testing (as of
yesterday; 0.8.14.1).

I guess I must be doing something wrong/unusual, but I've run out of
ideas for things to try.
The only thing I can think of, given that both curl and gnutls-cli
work, is that some parameter is passed/defaulted by the https
transport which checks something my certs don't pass, so it silently
ignores them. But I looked through https.cc, and couldn't see anything
obvious (not that I know C very well), and silently ignoring a cert
seems too wonky to be likely.

Does anyone have any ideas?

Takk,
- Mel


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiksS_rSmN7DGbJkA6uZZerVpCgTqQ@mail.gmail.com ">http://lists.debian.org/BANLkTiksS_rSmN7DGbJkA6uZZerVpCgTqQ@mail.gmail.com
 
Old 06-28-2011, 10:19 AM
Andrei POPESCU
 
Default apt-transport-https not sending client certificate

On Lu, 27 iun 11, 17:00:33, Mel Collins wrote:
> Hi all,
> I'm having a frustrating time trying to get apt to connect to a
> (local) server using SSL client certificate authentication.

Just out of curiosity, but why are you doing this?

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 

Thread Tools




All times are GMT. The time now is 12:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org