On Fri, Feb 08, 2008 at 08:18:35AM +0100, Mike Hommey wrote: > On Thu, Feb 07, 2008 at 07:32:39PM -0500, Jeff King wrote: > > On Thu, Feb 07, 2008 at 11:02:43PM +0100, Mike Hommey wrote: > > > > > Sorry, I've had trouble opening my eyes and actually reading messages I > > > reply to... anyways, I tried to reproduce with curl-gnutls and... > > > couldn't... How did you manage that ? Is the server you were trying on > > > public ? Do you have any http.ssl* variables set in your configuration ? > > > > No, my test repo is not public. I have no special ssl configuration > > (though I do use GIT_SSL_NO_VERIFY=1 since I just had a test self-signed > > cert). The exact recipe on my Debian system is: > > > (...) > > Okay, I've been able to reproduce the problem. I don't know what I've > been doing wrong to have it hidden... > > Anyways, the interesting thing is to look at what curl has to say in its > verbose mode: (...) > > So, it looks like either gnutls or curl is doing something wrong and > can't parse /etc/ssl/certs/ca-certificates.crt a second time. This > looks like a bug in either curl or gnutls. > > A simplified testcase would probably be to do two requests in a row, but > I don't have time right now to do this testing. I'm making myself a liar, but I took some few more minutes to test something like: diff --git a/http.c b/http.c index d2c11ae..001b1c4 100644 --- a/http.c +++ b/http.c @@ -186,7 +186,7 @@ static CURL* get_curl_handle(void) if (ssl_capath != NULL) curl_easy_setopt(result, CURLOPT_CAPATH, ssl_capath); #endif - if (ssl_cainfo != NULL) +// if (ssl_cainfo != NULL) curl_easy_setopt(result, CURLOPT_CAINFO, ssl_cainfo); curl_easy_setopt(result, CURLOPT_FAILONERROR, 1); And the result is interesting: GIT_CURL_VERBOSE=1 git fetch * Couldn't find host localhost in the .netrc file, using defaults * About to connect() to localhost port 8443 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 8443 (#0) * server certificate verification FAILED * common name: localhost (matched) * server certificate expiration date OK * server certificate activation date OK * certificate public key: RSA * certificate version: #1 * subject: C=GB,ST=Some-State,L=Some-Locality,O=One Organization,OU=One Organization Unit,CN=localhost,EMAIL=webmaster@localhost * start date: Thu, 07 Feb 2008 21:27:36 GMT * expire date: Sat, 08 Mar 2008 21:27:36 GMT * issuer: C=GB,ST=Some-State,L=Some-Locality,O=One Organization,OU=One Organization Unit,CN=localhost,EMAIL=webmaster@localhost * compression: DEFLATE * cipher: AES 256 CBC * MAC: SHA > GET /foo/.git//info/refs HTTP/1.1 User-Agent: git/1.5.4.7.gd8534-dirty Host: localhost:8443 Accept: */* < HTTP/1.1 200 OK < Date: Fri, 08 Feb 2008 07:30:10 GMT < Server: Apache/2.2.8 (Debian) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8g < Last-Modified: Fri, 08 Feb 2008 06:52:19 GMT < ETag: "61d82e-3b-445a0080d0ec0" < Accept-Ranges: bytes < Content-Length: 59 < Content-Type: text/plain < * Connection #0 to host localhost left intact * Couldn't find host localhost in the .netrc file, using defaults * About to connect() to localhost port 8443 (#0) * Trying 127.0.0.1... * connected * Connected to localhost (127.0.0.1) port 8443 (#0) * gnutls_handshake() failed: ASN1 parser: Element was not found. * Expire cleared * Closing connection #0 error: gnutls_handshake() failed: ASN1 parser: Element was not found. (curl_result = 35, http_code = 0, sha1 = e0aa43ffb1a1e7052a936b9ed5e0a1462cfc343e) So, it looks like either gnutls has a problem reinitializing its ASN1 parser or curl is doing something wrong with gnutls when initializing a new request. Mike - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html