apt/methods/connect.cc, branch 1.5

apt/methods/connect.cc, branch 1.5_beta1 Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.5_beta1 2017-07-03T13:06:26Z don't set ip addresses as server names for SNI 2017-07-03T13:06:26Z David Kalnischkies david@kalnischkies.de 2017-06-30T11:10:03Z urn:sha1:405189f2a794ded622a4ae3a83a9b70917faf894 It is kinda unlikely that apt will ever encounter a certificate for an IP and a user actually using it, but the API documentation for gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are not permitted to be set by this function.", so we should follow it. [jak@d.o: Slightly rebased] Swap file descriptors before the handshake 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:33:15Z urn:sha1:f3b9e58cc5e6878daff9cf127bd00587d1f715d3 This makes more sense. If the handshake failed midway, we still should run the gnutls bye stuff. The thinking here is to only set the fd after the session setup, as we do not modify it before, so if it fails in session setup, you retain a usable file descriptor. Gbp-Dch: ignore Do not error out, only warn if ca certificates are not available 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:31:41Z urn:sha1:55673e5476f86ffae8969bfc3a47237f3eeb7720 This probably makes more sense if Verify-Peer is set to off. tls: Add more details to error messages, and detect more errors 2017-07-03T13:06:26Z Julian Andres Klode jak@debian.org 2017-07-03T12:29:37Z urn:sha1:a742bac161759e2b265a4d4d5f5527f6035d8e58 This should make it easier to figure out what was going on. Make Verify-Host and Verify-Peer independent again 2017-07-01T13:51:55Z Julian Andres Klode jak@debian.org 2017-07-01T13:51:55Z urn:sha1:9a34c8557ac02e691bc66a5313103569a5e646ac We can actually just pass null as a hostname, so let's just do that when Verify-Host is set to false. TLS support: Error out on unsupported curl options 2017-06-30T15:20:21Z Julian Andres Klode jak@debian.org 2017-06-30T15:20:21Z urn:sha1:6a0e7acbf01e22665d89a9c6556f3a8220a78756 Silently ignoring the options might be a security issue, so produce an error instead. Improve closing the TLS connection 2017-06-30T15:12:11Z Julian Andres Klode jak@debian.org 2017-06-30T15:12:11Z urn:sha1:8f5db6b513b90b6ee5b625131a25b146fa912e0d If gnutls_session_bye() exited with an error, we never closed the underlying file descriptor, causing the method to think the connection was still open. This caused problems especially in test-partial-file-support where we checked that a "complete" file and an incomplete file work. The first GET returns a 416 with Connection: close, and the next GET request then accidentally reads the body of the 416 as the header for its own request. Allow running the TLS stack on any lower connection 2017-06-30T12:57:54Z Julian Andres Klode jak@debian.org 2017-06-30T11:51:32Z urn:sha1:4b1d19fe5619ef46c952ca84531759a981741482 This is especially needed if we use an HTTPS proxy to CONNECT to an HTTPS URI, as we run TLS-inside-TLS then. Reset failure reason when connection was successful 2017-06-30T09:05:48Z Julian Andres Klode jak@debian.org 2017-06-30T09:02:54Z urn:sha1:d3a70c3e5ae68a0e5a3d4667dd1d0fc0887e6263 When APT was trying multiple addresses, any later error somewhere else would be reported with ConnectionRefused or ConnectionTimedOut as the FailReason because that was set by early connect attempts. This causes APT to handle the failures differently, leading to some weirdly breaking test cases (like the changed one). Add debugging to the previously failing test case so we can find out when something goes wrong there again. Don't read CaInfo if not specified (missing else) 2017-06-30T07:46:29Z Julian Andres Klode jak@debian.org 2017-06-30T07:46:29Z urn:sha1:425e2dff0e4013edac6663a34a6359c98f4e8477 This fixes a regression from ~alpha2. Closes: #866559 Gbp-Dch: Full