Re: pkgin doesn't work with https and proxy

To: Ryota Ozaki <ozaki-r%netbsd.org@localhost>
Subject: Re: pkgin doesn't work with https and proxy
From: Jonathan Perkin <jperkin%mnx.io@localhost>
Date: Fri, 5 Apr 2024 10:50:20 +0100

* On 2024-04-05 at 03:53 BST, Ryota Ozaki wrote:

I installed pkgin via pkg_add on NetBSD 10.0, but it doesn't work
with https and proxy.

pkgin update failed with the following error:

 netbsd10# pkgin update
 processing remote summary
(https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All)...
 0048552D667B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected
eof while reading:/usr/src/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c:303:
 0048552D667B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected
eof while reading:/usr/src/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c:303:
 0048552D667B0000:error:0A000126:SSL routines:ssl3_read_n:unexpected
eof while reading:/usr/src/crypto/external/bsd/openssl/dist/ssl/record/rec_layer_s3.c:303:
 pkgin: Could not fetch
https://cdn.netbsd.org/pub/pkgsrc/packages/NetBSD/x86_64/10.0/All/pkg_summary.gz:
Authentication error

pkgin 23.12.0 now requires valid certificates for https transport. Makesure that you have installed e.g. mozilla-rootcerts-openssl, though Ithought NetBSD 10 now shipped with certificates installed by default?

Just to verify that it wasn't proxy connections that were affected, Itested this myself with tinyproxy installed from pkgsrc:


  $ pkgin up
  processing remote summary (https://pkgsrc.smartos.org/packages/SmartOS/trunk/x86_64/All)...
  database for https://pkgsrc.smartos.org/packages/SmartOS/trunk/x86_64/All is up-to-date

  $ env http_proxy=http://localhost:8888/ pkgin up
  processing remote summary (https://pkgsrc.smartos.org/packages/SmartOS/trunk/x86_64/All)...
  database for https://pkgsrc.smartos.org/packages/SmartOS/trunk/x86_64/All is up-to-date

$ tail /var/log/tinyproxy/tinyproxy.logINFO Apr 05 09:41:56.974 [38073]: Setting "Via" header to 'tinyproxy'

  NOTICE    Apr 05 09:41:56.997 [38073]: Reloading config file finished
  CONNECT   Apr 05 09:42:08.148 [38073]: Connect (file descriptor 4): ::1
  CONNECT   Apr 05 09:42:08.175 [38073]: Request (file descriptor 4): CONNECT pkgsrc.smartos.org:443 HTTP/1.1
  INFO      Apr 05 09:42:08.186 [38073]: No upstream proxy for pkgsrc.smartos.org
  INFO      Apr 05 09:42:08.196 [38073]: opensock: opening connection to pkgsrc.smartos.org:443
  INFO      Apr 05 09:42:09.058 [38073]: opensock: getaddrinfo returned for pkgsrc.smartos.org:443
  CONNECT   Apr 05 09:42:09.166 [38073]: Established connection to host "pkgsrc.smartos.org" using file descriptor 5.
  INFO      Apr 05 09:42:09.176 [38073]: Not sending client headers to remote machine
  INFO      Apr 05 09:42:09.612 [38073]: Closed connection between local client (fd:4) and remote client (fd:5)

ftp(1) command can fetch pkg_summary.gz under the same environment:


I don't believe ftp checks certificates, at least by default.

The version of pkgin:

 netbsd10# pkgin -v
 pkgin 23.8.1 (using SQLite 3.26.0)

Oh, that's strange. That version of pkgin doesn't even performvalidation. I guess this is a libfetch issue on NetBSD, or the SSLerrors above aren't related to verification.


--
Jonathan Perkin   -   mnx.io   -   pkgsrc.smartos.org
Open Source Complete Cloud   www.tritondatacenter.com

Follow-Ups:
- Re: pkgin doesn't work with https and proxy
  - From: Martin Husemann

References:
- pkgin doesn't work with https and proxy
  - From: Ryota Ozaki

Prev by Date: Re: rust: use system libunwind
Next by Date: Re: pkgin doesn't work with https and proxy
Previous by Thread: pkgin doesn't work with https and proxy
Next by Thread: Re: pkgin doesn't work with https and proxy
Indexes:

Home | Main Index | Thread Index | Old Index