add-apt-repository fails with gnutls_handshake error

Bug #926548 reported by Adam Honse on 2012-02-04
This bug affects 29 people
Affects Status Importance Assigned to Milestone
pycurl (Debian)
Fix Released
pycurl (Ubuntu)

Bug Description

Updated an 11.04 installation to 11.10 and then went to install the Cinnamon desktop environment using:

sudo add-apt-repository ppa:merlwiz79/cinnamon-ppa

The result was this:

Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 88, in <module>
    ppa_info = get_ppa_info_from_lp(user, ppa_name)
  File "/usr/lib/python2.7/dist-packages/softwareproperties/", line 80, in get_ppa_info_from_lp
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')

It does not appear to be linked to the particular repository, rather it appears to be a bug in the add-apt-repository command or the pycurl library. I found one reference to a similar issue here:

Robert Roth (evfool) on 2012-02-04
affects: ubuntu → software-properties (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in software-properties (Ubuntu):
status: New → Confirmed
Brian Zirkle (blzgraftdn) wrote :

I've had the same issue for about a week and was just today getting an opportunity to look for a fix.

sudo add-apt-repository ppa:freefilesync/ffs
[sudo] password for bzirkle:
Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 88, in <module>
    ppa_info = get_ppa_info_from_lp(user, ppa_name)
  File "/usr/lib/python2.7/dist-packages/softwareproperties/", line 80, in get_ppa_info_from_lp
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')

In the interest of narrowing down a timeframe for this feature "breaking", I first saw this 02 Feb - don't recall the last time I added a ppa source before that, but it couldn't have been longer than a month or so ago. I get the same error no matter what ppa I try to add.

64bit Ubuntu 11.10 running on Acer Aspire 5732Z for what it's worth. If I can give up any other information that would be helpful, I'm willing - give me shout.

Robert Roth (evfool) wrote :

This seems to be an issue with pycurl itself (the library used to get the PPA information), so I am reassigning this to the pycurl package, and also adding the upstream (Debian) bug report link.
Ubuntu Bug Squad volunteer triager

affects: software-properties (Ubuntu) → pycurl (Ubuntu)
Changed in pycurl (Debian):
status: Unknown → New
Mazli Alias (redcylon) wrote :

I've submit and was referred here as a duplicated bug.

Issue arise on my Precise Pangolin 64bit. Just want to add although I wasn't able to add-apt-repository in the terminal, I was able to ass ppas in Software Centre. It just if you run updates in the terminal, it would post error that it unable to verify the signature/sign of the ppa (...if you accept to continue, it would run nonetheless).

Changed in pycurl (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Adam Honse (calcprogrammer1) wrote :

Has anyone found a way around this bug? It's become increasingly annoying and appears that the pycurl (or GNUTLS packages used by pycurl) bugs are affecting several other programs as well. For instance, running an SVN or Git checkout over HTTPS fails, trying to curl or wget a file over HTTPS fails, I can't add PPA repositories with the proper tool, and several other things using HTTPS seem to randomly fail. I've run several new clean installs on multiple machines and all have this bug. Even my HP TouchPad, which I've installed the ARM version of 11.10 on, has this bug.

As for PPA's, I've been installing them to /etc/apt/sources.list in the form:


Add to sources.list:
deb<user>/<repo>/ubuntu oneiric main

Then sudo apt-get update and download whatever packages you want. The problem with this method is you never install the public key and so everything you install comes up as untrusted and Update Manager refuses to install them. You can force install using apt-get on the command line.

Macpaul Lin (macpaul) wrote :

It looks like we have the answer for this headache problem for a longtime. Once I want to download the android source code from google by 'repo' I'll be suffered with this probelm.
It seems we have the answer with gnutls 3.0

Please refer to the following URL for the solution and test.
Could we have this fixed in the coming 12.10? Thanks!

> problem with GnuTLS 2.12.14.

It appears to be commit 67f4dba6 from March 20th:
"Avoided waiting for peer's retransmission to ensure receipt of finished
 messages, and used a 'timer'-like to retransmit packets."

- data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+ if (hsk->length > 0 &&
+ (hsk->end_offset-hsk->start_offset >= data_size))

Macpaul Lin (macpaul) wrote :

This problem also appears in 12.04

Sven Romeike (lun4tic) wrote :

I have that problem in 12.04 and it was definately patched in. a fresh install did not have it.

I also have this problem in a freshly installed 12.04.

As this problem is gnutls related i tried the workaround found here :
and it worked for me.
The Workaround ist to build PyCurl against openssl instead of gnutls (the version number of the pycurl source packages can be can be another one) :

1. sudo apt-get install build-essential fakeroot dpkg-dev
2. mkdir ~/python-pycurl-openssl
3. cd ~/python-pycurl-openssl
4. sudo apt-get source python-pycurl
5. sudo apt-get build-dep python-pycurl
6. sudo apt-get install libcurl4-openssl-dev
7. sudo dpkg-source -x pycurl_7.19.0-3build1.dsc
8. cd pycurl-7.19.0
9. edit debian/control file and replace all instances of “libcurl4-gnutls-dev” with “libcurl4-openssl-dev”
10. sudo dpkg-buildpackage -rfakeroot -b
11. sudo dpkg -i ../python-pycurl_7.19.0-3build1_i386.deb

Macpaul Lin (macpaul) wrote :

simonthesorcerer: Thanks for your posting the workaround solution. But I guess the package on ubuntu still originate from debian (am i correct?) Maybe we can forward this information to debian people. :)

Macpaul Lin (macpaul) wrote :

Update for pycurl_7.19.0-4ubuntu3:
I've found in will force HAVE_CURL_GNUTLS=1.
And there is also force "define_macros.append(('HAVE_CURL_GNUTLS', 1))"
This will seems force the pycurl still compiled with gnutls.
You can replace the value into 0 to avoid if you have this kind of problem, but I'm not sure if this is necessary.

The following is the new method for pycurl_7.19.0-4ubuntu3:

sudo apt-get install build-essential fakeroot dpkg-dev
mkdir ~/python-pycurl-openssl
cd ~/python-pycurl-openssl
sudo apt-get source python-pycurl
sudo apt-get build-dep python-pycurl
sudo apt-get install libcurl4-openssl-dev
sudo dpkg-source -x pycurl_7.19.0-4ubuntu3.dsc
cd pycurl-7.19.0
# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim debian/patches/
# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim
# replace all gnutls into openssl in the following file
sudo vim debian/control
sudo dpkg-buildpackage -rfakeroot -b
sudo dpkg -i ../python-pycurl_7.19.0-4ubuntu3_amd64.deb

funicorn (funicorn) wrote :

I have the same problem too. It seems that using apt-add-repository with -y option could avoid the error. Thus I guess it's related to keyboard input disturbing pycurl.

Brian Murray (brian-murray) wrote :

In Ubuntu 12.10 add-apt-repository no longer uses pycurl and instead uses urllib2.

Changed in pycurl (Ubuntu):
status: Triaged → Won't Fix
V字龍(Vdragon) (vdragon) wrote :

But it's still bug in 12.04...
I think upgrade the developing version is not a good way to fix this bug...

what is the version of python-software-properties you are using?

I can not reproduce in my laptop (12.04 with latest update)


additional information of my laptop

python-pycurl 7.19.0-4ubuntu3
libcurl3-gnutls 7.22.0-3ubuntu4

V字龍(Vdragon) (vdragon) wrote :

I believe that this bug is depending on the network environment you using
At my residing place (BB寬頻), everything is normal
At school (National Taiwan Ocean University), this problem is 100% reproducible, and I'm forced to use dangerous HTTP to push my commit to GitHub.

V字龍(Vdragon) (vdragon) wrote :

Oh, for those trying to build GNUTLS like me, that won't fix the problem.
You may directly install the new version by installing Nettle and GNUTLS package built by myself (please downgrade or remove them after trying)

I agree, it depends on your network definitely. When I first submitted
this bug, I was at school (Missouri S&T) but now I graduated and moved,
have not had the problem on my home connection or any other non-school
connection. It might have to do with proxy systems but if we had one at
school it was transparent, no special settings were required other than
registering your MAC to get DHCP address.
On Aug 16, 2012 12:41 PM, "林博仁(Henry Lin)" <email address hidden> wrote:

> Oh, for those trying to build GNUTLS like me, that won't fix the problem.
> You may directly install the new version by installing Nettle and GNUTLS
> package built by myself (please downgrade or remove them after trying)
> --
> You received this bug notification because you are subscribed to the bug
> report.
> Title:
> add-apt-repository fails with gnutls_handshake error
> To manage notifications about this bug go to:

V字龍(Vdragon) (vdragon) wrote :

I've built pycurl with OpenSSL support and uploaded here.

Note that you need to rebuilt this package if a new version has released and upgraded
And note that Git push issue doesn't fixed by this package, you need to build Git with OpenSSL support to fix that.

Thanks for everyone contributing to this bug report!

Bipin (bipin-nag) wrote :

It is unacceptable to have to upgrade to newer distro to get rid of this bug. After all 12.04 is a LTS version and its life time exceeds that of 12.10. 12.04 users will have to live with this bug, or upgrade, which nullifies the meaning of Long Term Stable version. I ask you to change the status back to fixing and work on patches.

I know that bug is related to GnuTLS , and it is breaking many apps that rely on GnuTLS for authentication. grive for example :
keeps getting following errors

[gr::expt::MsgTag*] = gnutls_handshake() failed: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
[gr::http::CurlCodeTag*] = 35

It also is related to network environment as GnuTLS works fine with direct internet connection, but the machine which is having this issue is behind a proxy connection at my office.

This is affecting me too. And it is quite bad. It is unacceptable that this bug is not being fixed in an LTS release. I expected more from the Ubuntu developer community.

V字龍(Vdragon) (vdragon) wrote :

I updated the link at #20 to here:

However the AMD64 architecture software package is suspected by me as "doesn't work", I'll update the file once I fixed the problem( May need some time as I mainly using i386 architecture).

My solution is mainly based on #11, so you try it out.

Guy K. Kloss (guy.kloss) wrote :

I've just stumbled upon this bug report searching for the evil pycurl.error: (35, 'gnutls_handshake() failed: GnuTLS internal error.')

I found a solution by telling cURL what version of SSL to use:

connection.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_SSLv3)

This is where I found this gem:

Hope that helps,


Glenn Dixon (dixonge) wrote :

MacPaul - your instructions seem to have resolved the issues for me, with one change...

You stated:

"# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim"

I found one section referring to GNUTLS and OPENSSL - they are if statements defining macros.

I had to remove two lines referring to GNUTLS here. Until I did that I got build errors.

gberche (guillaume-berche) wrote :

Manual patch of /usr/lib/python2.7/dist-packages/softwareproperties/ mentionned by Guy Kloss in comment #24 worked for me on precise:

    curl.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_SSLv3)

Thanks Guy!

Changed in pycurl (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.