Ubuntu
aria2 package

aria2 is unable to connect to some HTTPS sites

Bug #1553778 reported by Artyom Aleksyuk
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
aria2 (Debian)
Fix Released
Unknown
aria2 (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

Hello. I've noticed that aria2 stopped to work with some HTTPS sites.

$ LANG=C aria2c https://sourceforge.net/projects/xbian/files/release/XBian_2016.03.01_rpi.img.gz/download -l aria2.log

03/06 21:15:21 [ERROR] CUID#6 - Download aborted. URI=https://sourceforge.net/projects/xbian/files/release/XBian_2016.03.01_rpi.img.gz/download
Exception: [AbstractCommand.cc:350] errorCode=1 URI=https://sourceforge.net/projects/xbian/files/release/XBian_2016.03.01_rpi.img.gz/download
  -> [SocketCore.cc:975] errorCode=1 SSL/TLS handshake failure: The signature algorithm is not supported.

03/06 21:15:21 [NOTICE] Download GID#e730e88f027b0508 not complete:

Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
e730e8|ERR | 0B/s|https://sourceforge.net/projects/xbian/files/release/XBian_2016.03.01_rpi.img.gz/download

Status Legend:
(ERR):error occurred.

aria2 will resume download if the transfer is restarted.
If there are any errors, then see the log file. See '-l' option in help/man page for details.

Another example of a non-working site is https://archive.org/download/centos-2.1_release/i386-disc1.iso
cURL works fine in both cases. Aria2 on Ubuntu 14.04 works fine too.

I've found an upstream bug report: https://github.com/tatsuhiro-t/aria2/issues/392. Here you can find a patch, however I've not tested it.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: aria2 1.19.0-1
ProcVersionSignature: Ubuntu 4.2.0-25.30-generic 4.2.6
Uname: Linux 4.2.0-25-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: XFCE
Date: Sun Mar 6 21:29:05 2016
InstallationDate: Installed on 2015-10-31 (127 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: aria2
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Artyom Aleksyuk (artyom.h31) wrote :
Revision history for this message
Artyom Aleksyuk (artyom.h31) wrote :

I've just tested, Xenial Xerus is affected too.

Bug Watch Updater (bug-watch-updater)
Changed in aria2 (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in aria2 (Debian):
status: New → Fix Released
Revision history for this message
Mathew Hodson (mhodson) wrote :

Here's the upstream fix.

Changed in aria2 (Ubuntu):
importance: Undecided → Low
tags: added: bitesize
Revision history for this message
Mathew Hodson (mhodson) wrote :

Here's the upstream fix.

https://github.com/aria2/aria2/commit/dd277b33af2a5a58c39142097c3ede5df7f5655d

tags: added: xenial
Revision history for this message
Mathew Hodson (mhodson) wrote :

The affected releases have SHA-1 disabled. The upstream fix was to reenable it for compatibility. I don't know if that is a good decision though, because SHA-1 has been deprecated by browsers and CAs. Firefox returns an error when I try to connect to https://ftp.f3l.de/aurbs/x86_64/aurbs.db which is the subject of the upstream bug report.

"Your connection is not secure

The owner of ftp.f3l.de has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

ftp.f3l.de uses an invalid security certificate.

The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure.

Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED"

information type: Public → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

RSA-SHA1 is no longer considered safe for use: https://www.mitls.org/pages/attacks/SLOTH

I cannot explain why this appears to affect aria2 and not e.g. cURL but I think a proper explanation would be preferable to enabling unsafe algorithms again.

Thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Could this be caused by bug 1709193 ?

Revision history for this message
Artyom Aleksyuk (artyom.h31) wrote :

No. Aria2 uses the GnuTLS library directly, without employing an OpenSSL compat layer.

You can close this bug report, it's not relevant anymore. All major browsers disabled SHA1 signature algorithm long time ago, so nearly all SHA1-based certificated were renewed with modern algorithms. And so there's no more problems with Aria2 connecting to such servers.

Revision history for this message
David Britton (dpb) wrote :

Closed per submitter

Changed in aria2 (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.