Debians commandline package manager https://git.kalnischkies.de/apt/atom?h=1.5_alpha4 2017-06-30T15:20:21Z 2017-06-30T15:20:21Z Julian Andres Klode jak@debian.org 2017-06-30T15:20:21Z urn:sha1:6a0e7acbf01e22665d89a9c6556f3a8220a78756 Silently ignoring the options might be a security issue, so produce an error instead. 2017-06-30T15:12:11Z Julian Andres Klode jak@debian.org 2017-06-30T15:12:11Z urn:sha1:8f5db6b513b90b6ee5b625131a25b146fa912e0d If gnutls_session_bye() exited with an error, we never closed the underlying file descriptor, causing the method to think the connection was still open. This caused problems especially in test-partial-file-support where we checked that a "complete" file and an incomplete file work. The first GET returns a 416 with Connection: close, and the next GET request then accidentally reads the body of the 416 as the header for its own request. 2017-06-30T14:33:09Z Julian Andres Klode jak@debian.org 2017-06-30T14:33:09Z urn:sha1:c6a428e4d17b408c2701def5daa46ca950948980 The old curl based method is still available as 'curl', 'curl+http', and 'curl+https'. 2017-06-30T13:00:41Z Julian Andres Klode jak@debian.org 2017-06-30T11:52:18Z urn:sha1:bafebf1afc59db7df7e0148b723f3f361770272c HTTPS proxies just require unwrapping the TLS layer at the proxy connection, that's easy, and of course sending proxy-specific headers that are sent on "http" proxies. 2017-06-30T13:00:41Z Julian Andres Klode jak@debian.org 2017-06-30T11:24:04Z urn:sha1:64207dad49f1c803d2b004ccf8fc6432789a8cc2 Proxying HTTPS traffic requires the proxy providing the CONNECT method. This implements the client side of it, although it is a bit hacky. HTTP connect is a normal HTTP CONNECT request, followed by a normal HTTP response, just that the body of the response is the TCP stream of the target host. We use a special wrapper in case there are data bytes in the header packets - in that case, the bytes are stored in a buffer and the buffer will be drained first, afterwards the connection continues directly with the TCP stream (with one more vcall). Also: Do not send full URI to https destinations when proxying, as we are directly interfacing with the destination data stream. 2017-06-30T12:57:54Z Julian Andres Klode jak@debian.org 2017-06-30T11:51:32Z urn:sha1:4b1d19fe5619ef46c952ca84531759a981741482 This is especially needed if we use an HTTPS proxy to CONNECT to an HTTPS URI, as we run TLS-inside-TLS then. 2017-06-30T09:05:48Z Julian Andres Klode jak@debian.org 2017-06-30T09:02:54Z urn:sha1:d3a70c3e5ae68a0e5a3d4667dd1d0fc0887e6263 When APT was trying multiple addresses, any later error somewhere else would be reported with ConnectionRefused or ConnectionTimedOut as the FailReason because that was set by early connect attempts. This causes APT to handle the failures differently, leading to some weirdly breaking test cases (like the changed one). Add debugging to the previously failing test case so we can find out when something goes wrong there again. 2017-06-30T07:46:29Z Julian Andres Klode jak@debian.org 2017-06-30T07:46:29Z urn:sha1:425e2dff0e4013edac6663a34a6359c98f4e8477 This fixes a regression from ~alpha2. Closes: #866559 Gbp-Dch: Full 2017-06-29T14:12:40Z Julian Andres Klode jak@debian.org 2017-06-29T13:30:12Z urn:sha1:58a1a72988e9280343821243217c1fc7d5ddea46 It turns out that curl only sets the system trust store if the CaInfo option is not set, so let's do the same here. 2017-06-29T10:54:30Z Julian Andres Klode jak@debian.org 2017-06-29T10:47:55Z urn:sha1:5e9c1b36764109ab13232188892730c326fb41e8 Tell the user to install ca-certificates. Closes: #866377