apt/methods, branch 1.5_beta1Debians commandline package managerhttps://git.kalnischkies.de/apt/atom?h=1.5_beta12017-07-03T13:47:22ZStop bragging about old speeds in http.cc comments2017-07-03T13:47:22ZJulian Andres Klodejak@debian.org2017-07-03T13:47:22Zurn:sha1:239d0088142c986628305b56764b5f2b7c83bab2
That's just ridiculous these days.
Gbp-Dch: ignore
don't set ip addresses as server names for SNI2017-07-03T13:06:26ZDavid Kalnischkiesdavid@kalnischkies.de2017-06-30T11:10:03Zurn:sha1:405189f2a794ded622a4ae3a83a9b70917faf894
It is kinda unlikely that apt will ever encounter a certificate for an
IP and a user actually using it, but the API documentation for
gnutls_server_name_set explicitly says that "IPv4 or IPv6 addresses are
not permitted to be set by this function.", so we should follow it.
[jak@d.o: Slightly rebased]
Swap file descriptors before the handshake2017-07-03T13:06:26ZJulian Andres Klodejak@debian.org2017-07-03T12:33:15Zurn:sha1:f3b9e58cc5e6878daff9cf127bd00587d1f715d3
This makes more sense. If the handshake failed midway, we still
should run the gnutls bye stuff. The thinking here is to only
set the fd after the session setup, as we do not modify it
before, so if it fails in session setup, you retain a usable
file descriptor.
Gbp-Dch: ignore
Do not error out, only warn if ca certificates are not available2017-07-03T13:06:26ZJulian Andres Klodejak@debian.org2017-07-03T12:31:41Zurn:sha1:55673e5476f86ffae8969bfc3a47237f3eeb7720
This probably makes more sense if Verify-Peer is set to off.
tls: Add more details to error messages, and detect more errors2017-07-03T13:06:26ZJulian Andres Klodejak@debian.org2017-07-03T12:29:37Zurn:sha1:a742bac161759e2b265a4d4d5f5527f6035d8e58
This should make it easier to figure out what was
going on.
http: A response with Content-Length: 0 has no content2017-07-01T17:14:03ZJulian Andres Klodejak@debian.org2017-07-01T17:14:03Zurn:sha1:d47fb34ae03566feec7fec6dccba80e45fa03e6f
APT considered any response with a Content-Length to have a
body, even if the value of the header was 0. A 0 length body
however, is equal to no body.
Make Verify-Host and Verify-Peer independent again2017-07-01T13:51:55ZJulian Andres Klodejak@debian.org2017-07-01T13:51:55Zurn:sha1:9a34c8557ac02e691bc66a5313103569a5e646ac
We can actually just pass null as a hostname, so let's just
do that when Verify-Host is set to false.
TLS support: Error out on unsupported curl options2017-06-30T15:20:21ZJulian Andres Klodejak@debian.org2017-06-30T15:20:21Zurn:sha1:6a0e7acbf01e22665d89a9c6556f3a8220a78756
Silently ignoring the options might be a security issue,
so produce an error instead.
Improve closing the TLS connection2017-06-30T15:12:11ZJulian Andres Klodejak@debian.org2017-06-30T15:12:11Zurn:sha1:8f5db6b513b90b6ee5b625131a25b146fa912e0d
If gnutls_session_bye() exited with an error, we never closed
the underlying file descriptor, causing the method to think the
connection was still open. This caused problems especially in
test-partial-file-support where we checked that a "complete"
file and an incomplete file work. The first GET returns a 416
with Connection: close, and the next GET request then accidentally
reads the body of the 416 as the header for its own request.
Switch to 'http' as the default https method2017-06-30T14:33:09ZJulian Andres Klodejak@debian.org2017-06-30T14:33:09Zurn:sha1:c6a428e4d17b408c2701def5daa46ca950948980
The old curl based method is still available as 'curl',
'curl+http', and 'curl+https'.