[Bug 1330621] [NEW] apt HTTPS connection reuse leading to 403 Forbidden against S3

Phil Pennock launchpad at spodhuis.org
Mon Jun 16 19:32:50 UTC 2014 

Public bug reported:

Encountered with Trusty, apt package 1.0.1ubuntu2

This might be a consequence of
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1087543 enabling
HTTPS connection reuse.  This is not the same as
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1330619 which
pertains to + encoding in requests sent over HTTPS, seen at the same
time.

I saw failures with "apt-get update" against some repositories
configured as https, where those repositories are S3 backed.  I ran:

$ sudo apt-get -o Debug::Acquire::https=true update

I saw 403 Forbidden for some resources, but only when the connection was
being reused.  Please excuse the name mangling below; the repository is
open but intended for private use.

Get:9 https://censored.s3.amazonaws.com public/main Translation-en
72% [Waiting for headers] [9 Translation-en 0 B]* Found bundle for host censored.s3.amazonaws.com: 0x118c500
* Re-using existing connection! (#2) with host censored.s3.amazonaws.com
* Connected to censored.s3.amazonaws.com (176.32.101.8) port 443 (#2)
> GET /dists/public/main/i18n/Translation-en_US HTTP/1.1
User-Agent: Debian APT-CURL/1.0 (1.0.1ubuntu2)
Host: censored.s3.amazonaws.com
Cache-Control: max-age=0
Accept: text/*

Hit http://us.archive.ubuntu.com trusty-updates/main Translation-en
74% [Working]< HTTP/1.1 403 Forbidden
< x-amz-request-id: censored
< x-amz-id-2: censored
< Content-Type: application/xml
< Transfer-Encoding: chunked
< Date: Mon, 16 Jun 2014 18:51:03 GMT
* Server AmazonS3 is not blacklisted
< Server: AmazonS3

I do not see the same error with curl(1), so this appears to be
something specific to apt with the https acquire transport; took a while
to notice that the errors were all after connection reuse.  I could find
no tuning option to disable connection reuse.

** Affects: apt (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1330621

Title:
  apt HTTPS connection reuse leading to 403 Forbidden against S3

Status in “apt” package in Ubuntu:
  New

Bug description:
  Encountered with Trusty, apt package 1.0.1ubuntu2

  This might be a consequence of
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1087543 enabling
  HTTPS connection reuse.  This is not the same as
  https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1330619 which
  pertains to + encoding in requests sent over HTTPS, seen at the same
  time.

  I saw failures with "apt-get update" against some repositories
  configured as https, where those repositories are S3 backed.  I ran:

  $ sudo apt-get -o Debug::Acquire::https=true update

  I saw 403 Forbidden for some resources, but only when the connection
  was being reused.  Please excuse the name mangling below; the
  repository is open but intended for private use.

  Get:9 https://censored.s3.amazonaws.com public/main Translation-en
  72% [Waiting for headers] [9 Translation-en 0 B]* Found bundle for host censored.s3.amazonaws.com: 0x118c500
  * Re-using existing connection! (#2) with host censored.s3.amazonaws.com
  * Connected to censored.s3.amazonaws.com (176.32.101.8) port 443 (#2)
  > GET /dists/public/main/i18n/Translation-en_US HTTP/1.1
  User-Agent: Debian APT-CURL/1.0 (1.0.1ubuntu2)
  Host: censored.s3.amazonaws.com
  Cache-Control: max-age=0
  Accept: text/*

  Hit http://us.archive.ubuntu.com trusty-updates/main Translation-en
  74% [Working]< HTTP/1.1 403 Forbidden
  < x-amz-request-id: censored
  < x-amz-id-2: censored
  < Content-Type: application/xml
  < Transfer-Encoding: chunked
  < Date: Mon, 16 Jun 2014 18:51:03 GMT
  * Server AmazonS3 is not blacklisted
  < Server: AmazonS3

  I do not see the same error with curl(1), so this appears to be
  something specific to apt with the https acquire transport; took a
  while to notice that the errors were all after connection reuse.  I
  could find no tuning option to disable connection reuse.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1330621/+subscriptions

More information about the foundations-bugs mailing list