[Bug 1721138] [NEW] APT update fail when using HTTPS
Carlos D. Gonzalez
1721138 at bugs.launchpad.net
Tue Oct 3 21:54:49 UTC 2017
Public bug reported:
### Ubuntu Release
root@<server name>:~# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
root@<server name>:~#
### Expected Behaviors
Trusty’s version of apt should be able to pull updates from an internal
mirror using the HTTPS protocol and a SHA256 certificate (please check
the 2nd link at the end of this description)
Note: Using the same configuration on Ubuntu Xenial works.
### Actual Behavior
Apt error out with the error: gnutls_handshake() failed: The signature
algorithm is not supported.
### Package Information
Im not sure if the problem is actually with apt of with a library (I’m including libgnutls26 info as well)
root@<server name>:~# apt-cache policy apt
apt:
Installed: 1.0.1ubuntu2.17
Candidate: 1.0.1ubuntu2.17
Version table:
*** 1.0.1ubuntu2.17 0
100 /var/lib/dpkg/status
root@<server name>:~#
root@<server name>:~# apt-cache policy libgnutls26
libgnutls26:
Installed: 2.12.23-12ubuntu2.8
Candidate: 2.12.23-12ubuntu2.8
Version table:
*** 2.12.23-12ubuntu2.8 0
100 /var/lib/dpkg/status
root@<server name>:~#
### Active sources
root@<server name>:~# egrep -R -v '^#|^$' --include=\*.list /etc/apt/
/etc/apt/sources.list:deb https://<repo server name>/ubuntu/test trusty main restricted universe multiverse
root@<server name>:~#
### Apt Update output
root@<server name>:~# apt update -qq
W: Failed to fetch https://<repo server name>/ubuntu/test/dists/trusty/main/binary-amd64/Packages gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/restricted/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/universe/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/multiverse/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/main/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/restricted/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/universe/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/multiverse/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@<server name>:~#
# NMAP output of the current allowed ciphers
root@<server name>:~# nmap --script ssl-enum-ciphers -p 443 <Server IP>
Starting Nmap 6.40 ( http://nmap.org ) at 2017-10-03 21:07 GMT
Nmap scan report for <repo server name> (<Server IP>)
Host is up (0.0039s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
root@<server name>:~#
# gnutls-cli-debug output
root@<server name>:~# gnutls-cli-debug <repo server name>
Resolving '<repo server name>'...
Connecting to '<Server IP>:443'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.0... N/A
Checking for Safe renegotiation support... yes
Checking for Safe renegotiation support (SCSV)... no
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... yes
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... no
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no
root@<server name>:~#
### CURL to one of the links mentioned on the “apt update”
root@<server name>:~# curl -v --output /dev/null https://<repo server name>/ubuntu/test/dists/trusty/main/binary-amd64/Packages
* Hostname was NOT found in DNS cache
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <Server IP>...
* Connected to <repo server name> (<Server IP>) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=<State>; L=<Location>; O=<Company name>; OU=<Org>; CN=<Common Name>; emailAddress=<Email>
* start date: 2017-09-29 20:49:56 GMT
* expire date: 2019-09-29 20:49:56 GMT
* subjectAltName: <repo server name> matched
* issuer: O=<Company name>; CN=<Company CA>
* SSL certificate verify ok.
> GET /ubuntu/test/dists/trusty/main/binary-amd64/Packages HTTP/1.1
> User-Agent: curl/7.35.0
> Host: <repo server name>
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 03 Oct 2017 21:11:34 GMT
* Server Apache/2.4.18 (Ubuntu) is not blacklisted
< Server: Apache/2.4.18 (Ubuntu)
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Last-Modified: Wed, 27 Sep 2017 15:41:08 GMT
< ETag: "7db380-55a2d9ed90e69"
< Accept-Ranges: bytes
< Content-Length: 8237952
<
{ [data not shown]
100 8044k 100 8044k 0 0 2103k 0 0:00:03 0:00:03 --:--:-- 2103k
* Connection #0 to host <repo server name> left intact
# Similar issues
https://www.osso.nl/blog/git-gnutls-handshake-failed-nginx-ciphers/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921
** Affects: apt (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to apt in Ubuntu.
https://bugs.launchpad.net/bugs/1721138
Title:
APT update fail when using HTTPS
Status in apt package in Ubuntu:
New
Bug description:
### Ubuntu Release
root@<server name>:~# lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
root@<server name>:~#
### Expected Behaviors
Trusty’s version of apt should be able to pull updates from an
internal mirror using the HTTPS protocol and a SHA256 certificate
(please check the 2nd link at the end of this description)
Note: Using the same configuration on Ubuntu Xenial works.
### Actual Behavior
Apt error out with the error: gnutls_handshake() failed: The signature
algorithm is not supported.
### Package Information
Im not sure if the problem is actually with apt of with a library (I’m including libgnutls26 info as well)
root@<server name>:~# apt-cache policy apt
apt:
Installed: 1.0.1ubuntu2.17
Candidate: 1.0.1ubuntu2.17
Version table:
*** 1.0.1ubuntu2.17 0
100 /var/lib/dpkg/status
root@<server name>:~#
root@<server name>:~# apt-cache policy libgnutls26
libgnutls26:
Installed: 2.12.23-12ubuntu2.8
Candidate: 2.12.23-12ubuntu2.8
Version table:
*** 2.12.23-12ubuntu2.8 0
100 /var/lib/dpkg/status
root@<server name>:~#
### Active sources
root@<server name>:~# egrep -R -v '^#|^$' --include=\*.list /etc/apt/
/etc/apt/sources.list:deb https://<repo server name>/ubuntu/test trusty main restricted universe multiverse
root@<server name>:~#
### Apt Update output
root@<server name>:~# apt update -qq
W: Failed to fetch https://<repo server name>/ubuntu/test/dists/trusty/main/binary-amd64/Packages gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/restricted/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/universe/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/multiverse/binary-amd64/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/main/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/restricted/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/universe/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
W: Failed to fetch https://<repo server
name>/ubuntu/test/dists/trusty/multiverse/binary-i386/Packages
gnutls_handshake() failed: The signature algorithm is not supported.
E: Some index files failed to download. They have been ignored, or old ones used instead.
root@<server name>:~#
# NMAP output of the current allowed ciphers
root@<server name>:~# nmap --script ssl-enum-ciphers -p 443 <Server IP>
Starting Nmap 6.40 ( http://nmap.org ) at 2017-10-03 21:07 GMT
Nmap scan report for <repo server name> (<Server IP>)
Host is up (0.0039s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_SEED_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
| TLS_RSA_WITH_RC4_128_MD5 - strong
| TLS_RSA_WITH_RC4_128_SHA - strong
| TLS_RSA_WITH_SEED_CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 1.89 seconds
root@<server name>:~#
# gnutls-cli-debug output
root@<server name>:~# gnutls-cli-debug <repo server name>
Resolving '<repo server name>'...
Connecting to '<Server IP>:443'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... no
Checking for TLS 1.0 support... yes
Checking for TLS 1.1 support... yes
Checking fallback from TLS 1.1 to... N/A
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.0... N/A
Checking for Safe renegotiation support... yes
Checking for Safe renegotiation support (SCSV)... no
Checking for HTTPS server name... not checked
Checking for version rollback bug in RSA PMS... no
Checking for version rollback bug in Client Hello... no
Checking whether the server ignores the RSA PMS version... no
Checking whether the server can accept Hello Extensions... yes
Checking whether the server can accept cipher suites not in SSL 3.0 spec... yes
Checking whether the server can accept a bogus TLS record version in the client hello... yes
Checking for certificate information... N/A
Checking for trusted CAs... N/A
Checking whether the server understands TLS closure alerts... yes
Checking whether the server supports session resumption... yes
Checking for export-grade ciphersuite support... no
Checking RSA-export ciphersuite info... N/A
Checking for anonymous authentication support... no
Checking anonymous Diffie-Hellman group info... N/A
Checking for ephemeral Diffie-Hellman support... yes
Checking ephemeral Diffie-Hellman group info... N/A
Checking for AES cipher support (TLS extension)... yes
Checking for CAMELLIA cipher support (TLS extension)... yes
Checking for 3DES cipher support... yes
Checking for ARCFOUR 128 cipher support... yes
Checking for ARCFOUR 40 cipher support... no
Checking for MD5 MAC support... yes
Checking for SHA1 MAC support... yes
Checking for max record size (TLS extension)... no
Checking for OpenPGP authentication support (TLS extension)... no
root@<server name>:~#
### CURL to one of the links mentioned on the “apt update”
root@<server name>:~# curl -v --output /dev/null https://<repo server name>/ubuntu/test/dists/trusty/main/binary-amd64/Packages
* Hostname was NOT found in DNS cache
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying <Server IP>...
* Connected to <repo server name> (<Server IP>) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Server hello (2):
{ [data not shown]
* SSLv3, TLS handshake, CERT (11):
{ [data not shown]
* SSLv3, TLS handshake, Server key exchange (12):
{ [data not shown]
* SSLv3, TLS handshake, Server finished (14):
{ [data not shown]
* SSLv3, TLS handshake, Client key exchange (16):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
} [data not shown]
* SSLv3, TLS handshake, Finished (20):
} [data not shown]
* SSLv3, TLS change cipher, Client hello (1):
{ [data not shown]
* SSLv3, TLS handshake, Finished (20):
{ [data not shown]
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
* subject: C=US; ST=<State>; L=<Location>; O=<Company name>; OU=<Org>; CN=<Common Name>; emailAddress=<Email>
* start date: 2017-09-29 20:49:56 GMT
* expire date: 2019-09-29 20:49:56 GMT
* subjectAltName: <repo server name> matched
* issuer: O=<Company name>; CN=<Company CA>
* SSL certificate verify ok.
> GET /ubuntu/test/dists/trusty/main/binary-amd64/Packages HTTP/1.1
> User-Agent: curl/7.35.0
> Host: <repo server name>
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Tue, 03 Oct 2017 21:11:34 GMT
* Server Apache/2.4.18 (Ubuntu) is not blacklisted
< Server: Apache/2.4.18 (Ubuntu)
< Strict-Transport-Security: max-age=63072000; includeSubdomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< Last-Modified: Wed, 27 Sep 2017 15:41:08 GMT
< ETag: "7db380-55a2d9ed90e69"
< Accept-Ranges: bytes
< Content-Length: 8237952
<
{ [data not shown]
100 8044k 100 8044k 0 0 2103k 0 0:00:03 0:00:03 --:--:-- 2103k
* Connection #0 to host <repo server name> left intact
# Similar issues
https://www.osso.nl/blog/git-gnutls-handshake-failed-nginx-ciphers/
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737921
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1721138/+subscriptions
More information about the foundations-bugs
mailing list