On Fri, Feb 08, 2008 at 08:18:35AM +0100, Mike Hommey wrote:
> On Thu, Feb 07, 2008 at 07:32:39PM -0500, Jeff King wrote:
> > On Thu, Feb 07, 2008 at 11:02:43PM +0100, Mike Hommey wrote:
> >
> > > Sorry, I've had trouble opening my eyes and actually reading messages I
> > > reply to... anyways, I tried to reproduce with curl-gnutls and...
> > > couldn't... How did you manage that ? Is the server you were trying on
> > > public ? Do you have any http.ssl* variables set in your configuration ?
> >
> > No, my test repo is not public. I have no special ssl configuration
> > (though I do use GIT_SSL_NO_VERIFY=1 since I just had a test self-signed
> > cert). The exact recipe on my Debian system is:
> >
> (...)
>
> Okay, I've been able to reproduce the problem. I don't know what I've
> been doing wrong to have it hidden...
>
> Anyways, the interesting thing is to look at what curl has to say in its
> verbose mode:
(...)
>
> So, it looks like either gnutls or curl is doing something wrong and
> can't parse /etc/ssl/certs/ca-certificates.crt a second time. This
> looks like a bug in either curl or gnutls.
>
> A simplified testcase would probably be to do two requests in a row, but
> I don't have time right now to do this testing.
I'm making myself a liar, but I took some few more minutes to test
something like:
diff --git a/http.c b/http.c
index d2c11ae..001b1c4 100644
--- a/http.c
+++ b/http.c
@@ -186,7 +186,7 @@ static CURL* get_curl_handle(void)
if (ssl_capath != NULL)
curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath);
#endif
- if (ssl_cainfo != NULL)
+// if (ssl_cainfo != NULL)
curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo);
curl_easy_setopt(result, CURLOPT_FAILONERROR, 1);
And the result is interesting:
GIT_CURL_VERBOSE=1 git fetch
* Couldn't find host localhost in the .netrc file, using defaults
* About to connect() to localhost port 8443 (#0)
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8443 (#0)
* server certificate verification FAILED
* common name: localhost (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #1
* subject: C=GB,ST=Some-State,L=Some-Locality,O=One Organization,OU=One Organization Unit,CN=localhost,EMAIL=webmaster@localhost
* start date: Thu, 07 Feb 2008 21:27:36 GMT
* expire date: Sat, 08 Mar 2008 21:27:36 GMT
* issuer: C=GB,ST=Some-State,L=Some-Locality,O=One Organization,OU=One Organization Unit,CN=localhost,EMAIL=webmaster@localhost
* compression: DEFLATE
* cipher: AES 256 CBC
* MAC: SHA
> GET /foo/.git//info/refs HTTP/1.1
User-Agent: git/1.5.4.7.gd8534-dirty
Host: localhost:8443
Accept: */*
< HTTP/1.1 200 OK
< Date: Fri, 08 Feb 2008 07:30:10 GMT
< Server: Apache/2.2.8 (Debian) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8g
< Last-Modified: Fri, 08 Feb 2008 06:52:19 GMT
< ETag: "61d82e-3b-445a0080d0ec0"
< Accept-Ranges: bytes
< Content-Length: 59
< Content-Type: text/plain
<
* Connection #0 to host localhost left intact
* Couldn't find host localhost in the .netrc file, using defaults
* About to connect() to localhost port 8443 (#0)
* Trying 127.0.0.1... * connected
* Connected to localhost (127.0.0.1) port 8443 (#0)
* gnutls_handshake() failed: ASN1 parser: Element was not found.
* Expire cleared
* Closing connection #0
error: gnutls_handshake() failed: ASN1 parser: Element was not found. (curl_result = 35, http_code = 0, sha1 = e0aa43ffb1a1e7052a936b9ed5e0a1462cfc343e)
So, it looks like either gnutls has a problem reinitializing its ASN1
parser or curl is doing something wrong with gnutls when initializing a
new request.
Mike
-
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
