FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.

» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

LinkBack Thread Tools
Old 06-27-2011, 03:00 PM
Mel Collins
Default apt-transport-https not sending client certificate

Hi all,
I'm having a frustrating time trying to get apt to connect to a
(local) server using SSL client certificate authentication.

My apt config file looks like this:
Acquire {
https {
localhost {
Verify-Peer "true";
Verify-Host "true";
CaInfo "/tmp/certs/ca/ca.crt";

SslCert "/tmp/certs/client.crt";
SslKey "/tmp/certs/client.key";
(the server uses a certificate from a self-signed CA, hence the CaInfo)
The sources.list line is:
deb https://localhost:8443/deb test foo bar

Yet when I try an `aptitude update`, the server complains that no
client certificate was supplied ("SSL3_GET_CLIENT_CERTIFICATEeer did
not return a certificate"). Thence, with the debug option turned on,
aptitude says:
* gnutls_handshake() failed: Error in the push function.

I've checked using Wireshark and, indeed, the client doesn't supply
any certificate during the SSL handshake ("Handshake protocol:
Certificate | Certificates length: 0").

I can run:
$ curl --insecure --cert "certs/client.crt" --key "certs/client.key"
--include "https://localhost:8443/"
$ gnutls-cli -V --insecure -p 8443 --x509certfile certs/client.crt
--x509keyfile certs/client.key
and in both cases the same client certificate gets sent, and accepted
by the server.

I've been working mostly with Ubuntu 10.04 (apt,
but the behaviour is the same using the latest apt in testing (as of

I guess I must be doing something wrong/unusual, but I've run out of
ideas for things to try.
The only thing I can think of, given that both curl and gnutls-cli
work, is that some parameter is passed/defaulted by the https
transport which checks something my certs don't pass, so it silently
ignores them. But I looked through https.cc, and couldn't see anything
obvious (not that I know C very well), and silently ignoring a cert
seems too wonky to be likely.

Does anyone have any ideas?

- Mel

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTiksS_rSmN7DGbJkA6uZZerVpCgTqQ@mail.gmail.com ">http://lists.debian.org/BANLkTiksS_rSmN7DGbJkA6uZZerVpCgTqQ@mail.gmail.com
Old 06-28-2011, 10:19 AM
Default apt-transport-https not sending client certificate

On Lu, 27 iun 11, 17:00:33, Mel Collins wrote:
> Hi all,
> I'm having a frustrating time trying to get apt to connect to a
> (local) server using SSL client certificate authentication.

Just out of curiosity, but why are you doing this?

Offtopic discussions among Debian users and developers:

Thread Tools

All times are GMT. The time now is 12:01 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org