From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=) Subject: bug#14884: TLS connection not terminated properly Date: Tue, 16 Jul 2013 22:50:42 +0200 Message-ID: <87zjtmw7od.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:49014) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UzCIy-0001ah-Dn for bug-guix@gnu.org; Tue, 16 Jul 2013 16:57:06 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UzCIx-0000Iy-6t for bug-guix@gnu.org; Tue, 16 Jul 2013 16:57:04 -0400 Received: from debbugs.gnu.org ([140.186.70.43]:36555) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UzCIx-0000Ia-3x for bug-guix@gnu.org; Tue, 16 Jul 2013 16:57:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.80) (envelope-from ) id 1UzCIw-00074j-Ko for bug-guix@gnu.org; Tue, 16 Jul 2013 16:57:02 -0400 Sender: "Debbugs-submit" Resent-Message-ID: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48561) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UzCHm-00018a-3I for bug-guix@gnu.org; Tue, 16 Jul 2013 16:55:51 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1UzCHi-000845-Ao for bug-guix@gnu.org; Tue, 16 Jul 2013 16:55:50 -0400 Received: from hera.aquilenet.fr ([141.255.128.1]:45646) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1UzCHh-00083T-PW for bug-guix@gnu.org; Tue, 16 Jul 2013 16:55:46 -0400 Received: from localhost (localhost [127.0.0.1]) by hera.aquilenet.fr (Postfix) with ESMTP id 2F2A9CE7 for ; Tue, 16 Jul 2013 22:50:43 +0200 (CEST) Received: from hera.aquilenet.fr ([127.0.0.1]) by localhost (hera.aquilenet.fr [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HowHFK-XvAZh for ; Tue, 16 Jul 2013 22:50:43 +0200 (CEST) Received: from pluto (reverse-83.fdn.fr [80.67.176.83]) by hera.aquilenet.fr (Postfix) with ESMTPSA id 979C9C5E for ; Tue, 16 Jul 2013 22:50:42 +0200 (CEST) List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: 14884@debbugs.gnu.org As reported by Mark Weaver and others, fetching from https://archive.apache.org leads an error: --8<---------------cut here---------------start------------->8--- $ guix build -S subversion --no-substitutes The following derivation will be built: /nix/store/0qm0bggyhrdhrk1ks8hs2pya5n0ikx57-subversion-1.7.8.tar.bz2.drv @ build-started /nix/store/0qm0bggyhrdhrk1ks8hs2pya5n0ikx57-subversion-1.7.= 8.tar.bz2.drv - x86_64-linux /nix/var/log/nix/drvs/0q//m0bggyhrdhrk1ks8hs2p= ya5n0ikx57-subversion-1.7.8.tar.bz2.drv.bz2 starting download of `/nix/store/i35q1vm2sl27sjhs7mx8n2m05056ya9x-subversio= n-1.7.8.tar.bz2' from `https://archive.apache.org/dist/subversion/subversio= n-1.7.8.tar.bz2'... https://archive.apache.org/.../subversion-1.7.8.tar.bz2 99.0% of 5882.7 Ki= BERROR: Throw to key `gnutls-error' with args `(# fill_session_record_port_input)'. failed to download "/nix/store/i35q1vm2sl27sjhs7mx8n2m05056ya9x-subversion-= 1.7.8.tar.bz2" from "https://archive.apache.org/dist/subversion/subversion-= 1.7.8.tar.bz2" --8<---------------cut here---------------end--------------->8--- We discussed it on IRC some time ago: I just tried, and the wget from guix also works. ok maybe wget is ignoring that particular TLS error, dunno. * civodul tries [23:22] i can reproduce it I see something about it on this page: http://download.opensuse.org/distribution/12.1/repo/oss/ChangeLog [23:29] For glib-networking update to version 2.29.92, it says "Fixed= a problem when linking against GNUTLS 3.0, where connections would sometimes return the error "The TLS connection was non-properly terminated". (bgo#659233)" [23:30] I'm not sure what bug tracking system that bug number is in. the rationale is discussed at http://comments.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/4842 [23:32] https://bugzilla.gnome.org/show_bug.cgi?id=3D659233 [23:33] well, I suppose we could just use plain http for that URL. [23:35] sure :-) [23:36] though the problem is worth fixing is it a problem on our end, or on the apache archive server? [23:37] given that we will check the SHAsum on the downloaded file, I suppose there's no harm in ignoring that error for downloads, in any case. [23:38] yes, that's what i was thinking [23:39] but it's actually tricky to ignore because we pass a TLS port to the download code here's what glib-networking did, fwiw: https://bug659233.bugzilla-attachments.gnome.org/attachment.cgi?id= =3D196741 [23:40] The problem is that the exception is raised by the TLS session record port=E2=80=99s fill_input method, so there=E2=80=99s no nice call site to w= rap into =E2=80=98catch=E2=80=99. We could catch around the =E2=80=98dump-port=E2=80=99 call in (guix build d= ownload), but we=E2=80=99d lose info about how much data has actually been transferred. So for now, I will just: 1. use http://archive.apache.org instead of https; 2. ignore this problem altogether, unless this behavior is found to be widespread. Comments welcome. Ludo=E2=80=99.