Bug 5738

Summary: urpmi should not use curl with https mirrors
Product: Mageia Reporter: Manuel Hiebel <manuel.mageia>
Component: RPM PackagesAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: urpmi CVE:
Status comment:

Description Manuel Hiebel 2012-05-03 19:30:06 CEST 
Description of problem:

[root@localhost hdl]# urpmi.addmedia --distrib --mirrorlist --debug -v
getting exclusive lock on urpmi
parsing: /etc/urpmi/mediacfg.d/Devel-1-i586
parsing: /etc/urpmi/mediacfg.d/Devel-2-beta2-i586
not using metalink since requested downloader does not handle it
loading mirrors cache
using mirror rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586
récupération du fichier media.cfg...
récupération de rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586 media/media_info/media.cfg
/usr/bin/rsync -q --timeout=60 --contimeout=60 --partial --no-whole-file --no-motd --copy-links 'rsync://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586/media/media_info/media.cfg' '/var/cache/urpmi/partial' 2>&1
rsync error: timeout waiting for daemon connection (code 35) at socket.c(281) [Receiver=3.0.9]

nouvel essai avec le miroir https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586
récupération du fichier media.cfg...
récupération de https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586 media/media_info/media.cfg
'/usr/bin/curl' '-q' '-s' '--location-trusted' '-R' '-f' '--disable-epsv' '--connect-timeout' '60' '--anyauth' '--stderr' '-' '-O' 'https://distrib-coffee.ipsl.jussieu.fr/pub/linux/Mageia/distrib/cauldron/i586/media/media_info/media.cfg'
... échec de la récupération : curl a échoué : sortie avec 60

impossible d'accéder au média de distribution (pas de fichier media.cfg trouvé)
impossible d'ajouter le média
unlocking urpmi database
EXITING (pid=2462)

in the man of curl we can see:
60 Peer certificate cannot be authenticated with known CA certifiâcates.


http://www.mageialinux-online.org/forum/topic-12482+mises-a-jour-bloquees.php#m122205
Comment 1 Thierry Vignaud 2012-05-03 19:46:04 CEST 
If you want to trust an insecure sites that is your problem.
What's need to be fixed is for this site to have either a real certificate or not to offer https (hint Guillaume...).

Status: NEW => RESOLVED
Resolution: (none) => INVALID
Assignee: thierry.vignaud => guillomovitch

Comment 2 Guillaume Rousse 2012-05-03 20:11:00 CEST 
Thanks for the gift, but why am I the assignee here :) ?

Anyway, I disagree with Thierry: this is not really a server issue, but a client one. If you want to use https for secure connection, you're supposed to either give your client a way to check server certificate (meaning its certification authority certificate), or to disallow server certificate checking. The fact than the server doesn't use a certificate issued by a commercial provider just make it a bit more complex for the clients, but it's not a bug in itself.

urpmi.cfg has a curl-options directive for this kind of issues.