Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=2.7.10 2021-09-13T14:09:19Z 2021-09-13T14:09:19Z David Kalnischkies david@kalnischkies.de 2021-09-12T22:54:38Z urn:sha1:4e04cbafe7db326b52ee650a4f4ccc3444da6890 The settings used for unwrapping TLS connections depend on the access and hostname we connect to more than what we eventually unwrap. The bugreport mentions CaInfo, but all other https-settings should also apply (regardless of generic or hostname specific) to an https proxy, even if the connection we proxy through it is http-only. Closes: #990555 2021-05-12T11:06:11Z Julian Andres Klode julian.klode@canonical.com 2021-05-11T14:04:10Z urn:sha1:2129ffecc084ca772af75418225c5551631e6278 This makes them retriable, and brings them more into line with TCP, where handshake is also a transient error. LP: #1928100 2020-12-22T23:54:14Z Faidon Liambotis paravoid@debian.org 2020-12-22T23:54:14Z urn:sha1:1663774bf309fbd196fd2b9c5c2afdd7a25fd288 The "last connection" cache is currently being stored and looked up on the combination of (LastHost, LastPort). However, these are not what the arguments to getaddrinfo() were on the first try: the call is to getaddrinfo(Host, ServiceNameOrPort, ...), i.e. with the port *or if 0, the service name* (e.g. http). Effectively this means that the connection cache lookup for: https://example.org/... i.e. Host = example.org, Port = 0, Service = http would end up matching the "last" connection of (if existed): https://example.org/... i.e. Host = example.org, Port = 0, Service = https ...and thus performing a TLS request over an (unrelated) port 80 connection. Therefore, an HTTP request, followed up by an (unrelated) HTTPS request to the same server, would always fail. Address this by using as the cache key the ServiceNameOrPort, rather than Port. 2020-12-22T23:51:50Z Faidon Liambotis paravoid@debian.org 2020-12-22T23:51:50Z urn:sha1:8d4b3a4fcead0ca534b5d1c5a99ae2a4c95eee21 Convert the fixed-size (300) char array "ServStr" to a std::string, and simplify the code by removing snprintfs in the process. While at it, rename to the more aptly named "ServiceNameOrPort" and update the comment to reflect what this variable is meant to be. 2019-07-08T13:51:17Z David Kalnischkies david@kalnischkies.de 2019-07-08T13:48:59Z urn:sha1:2b734a7ec429825c7007c1093883229e069d36c7 Reported-By: cppcheck 2019-06-11T12:16:18Z Julian Andres Klode julian.klode@canonical.com 2019-06-11T12:16:18Z urn:sha1:93e0ba2bfde58e6c1fbad53614083be8754d7ee8 apt Debian release 1.8.2 2019-05-21T12:53:01Z Michael Zhivich mzhivich@akamai.com 2019-05-20T19:07:04Z urn:sha1:f3e109d40937dbf90994bcf74b76837ec670205c When accessing repository protected by TLS mutual auth, apt may receive a "re-handshake" request from the server, which must be handled in order for download to proceed. This situation arises when the server requests a client certificate based on the resource path provided in the GET request, after the inital handshake in UnwrapTLS() has already occurred, and a secure connection has been established. This issue has been observed with Artifactory-backed Debian repository. To address the issue, split TLS handshake code out into its own method in TlsFd, and call it when GNUTLS_E_REHANDSHAKE error is received. Signed-off-by: Michael Zhivich <mzhivich@akamai.com> (merged from Debian/apt#93) LP: #1829861 2019-04-16T10:59:54Z David Kalnischkies david@kalnischkies.de 2019-04-14T23:54:26Z urn:sha1:a967ba05416db27127f9a0ba85bb92377e6bb73e warning: moving a local object in a return statement prevents copy elision [-Wpessimizing-move] Reported-By: gcc-9 Gbp-Dch: Ignore 2018-05-24T12:26:16Z Julian Andres Klode julian.klode@canonical.com 2018-05-24T12:16:30Z urn:sha1:71b65b3563d223f6cd69261918ec06d10da48e6c Correctly register timed out IP addresses from a timed out select() call as a bad address so we do not try it again. LP: #1766542 2018-05-19T19:39:08Z David Kalnischkies david@kalnischkies.de 2018-05-19T19:05:48Z urn:sha1:dd23021f588f5d50171cfb0d54108f594b139b26 Closes: #898886