add-apt-repository fails with gnutls_handshake error

Bug #926548 reported by Adam Honse
196
This bug affects 29 people
Affects Status Importance Assigned to Milestone
pycurl (Debian)
Fix Released
Unknown
pycurl (Ubuntu)
Won't Fix
Medium
Unassigned

Bug Description

Updated an 11.04 installation to 11.10 and then went to install the Cinnamon desktop environment using:

sudo add-apt-repository ppa:merlwiz79/cinnamon-ppa

The result was this:

Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 88, in <module>
    ppa_info = get_ppa_info_from_lp(user, ppa_name)
  File "/usr/lib/python2.7/dist-packages/softwareproperties/ppa.py", line 80, in get_ppa_info_from_lp
    curl.perform()
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')

It does not appear to be linked to the particular repository, rather it appears to be a bug in the add-apt-repository command or the pycurl library. I found one reference to a similar issue here:

http://code.google.com/p/wfuzz/wiki/PyCurlSSLBug

Robert Roth (evfool)
affects: ubuntu → software-properties (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in software-properties (Ubuntu):
status: New → Confirmed
Revision history for this message
Brian Zirkle (blzgraftdn) wrote :

I've had the same issue for about a week and was just today getting an opportunity to look for a fix.

sudo add-apt-repository ppa:freefilesync/ffs
[sudo] password for bzirkle:
Traceback (most recent call last):
  File "/usr/bin/add-apt-repository", line 88, in <module>
    ppa_info = get_ppa_info_from_lp(user, ppa_name)
  File "/usr/lib/python2.7/dist-packages/softwareproperties/ppa.py", line 80, in get_ppa_info_from_lp
    curl.perform()
pycurl.error: (35, 'gnutls_handshake() failed: A TLS packet with unexpected length was received.')

In the interest of narrowing down a timeframe for this feature "breaking", I first saw this 02 Feb - don't recall the last time I added a ppa source before that, but it couldn't have been longer than a month or so ago. I get the same error no matter what ppa I try to add.

64bit Ubuntu 11.10 running on Acer Aspire 5732Z for what it's worth. If I can give up any other information that would be helpful, I'm willing - give me shout.

Revision history for this message
Robert Roth (evfool) wrote :

This seems to be an issue with pycurl itself (the library used to get the PPA information), so I am reassigning this to the pycurl package, and also adding the upstream (Debian) bug report link.
---
Ubuntu Bug Squad volunteer triager
http://wiki.ubuntu.com/BugSquad

affects: software-properties (Ubuntu) → pycurl (Ubuntu)
Changed in pycurl (Debian):
status: Unknown → New
Revision history for this message
Mazli Alias (redcylon) wrote :

I've submit https://bugs.launchpad.net/ubuntu/+source/software-properties/+bug/930478 and was referred here as a duplicated bug.

Issue arise on my Precise Pangolin 64bit. Just want to add although I wasn't able to add-apt-repository in the terminal, I was able to ass ppas in Software Centre. It just if you run updates in the terminal, it would post error that it unable to verify the signature/sign of the ppa (...if you accept to continue, it would run nonetheless).

Changed in pycurl (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Revision history for this message
Adam Honse (calcprogrammer1) wrote :

Has anyone found a way around this bug? It's become increasingly annoying and appears that the pycurl (or GNUTLS packages used by pycurl) bugs are affecting several other programs as well. For instance, running an SVN or Git checkout over HTTPS fails, trying to curl or wget a file over HTTPS fails, I can't add PPA repositories with the proper tool, and several other things using HTTPS seem to randomly fail. I've run several new clean installs on multiple machines and all have this bug. Even my HP TouchPad, which I've installed the ARM version of 11.10 on, has this bug.

As for PPA's, I've been installing them to /etc/apt/sources.list in the form:

Before:
ppa:<user>/<repo>

Add to sources.list:
deb http://ppa.launchpad.net/<user>/<repo>/ubuntu oneiric main

Then sudo apt-get update and download whatever packages you want. The problem with this method is you never install the public key and so everything you install comes up as untrusted and Update Manager refuses to install them. You can force install using apt-get on the command line.

Revision history for this message
Macpaul Lin (macpaul) wrote :

It looks like we have the answer for this headache problem for a longtime. Once I want to download the android source code from google by 'repo' I'll be suffered with this probelm.
It seems we have the answer with gnutls 3.0

Please refer to the following URL for the solution and test.
Could we have this fixed in the coming 12.10? Thanks!
http://old.nabble.com/Big-CA-certificate-bundle-causes-problems-with-GnuTLS-3.0.11-td33925560.html

> problem with GnuTLS 2.12.14.

It appears to be commit 67f4dba6 from March 20th:
"Avoided waiting for peer's retransmission to ensure receipt of finished
 messages, and used a 'timer'-like to retransmit packets."

- data_size = _mbuffer_get_udata_size(bufel) - handshake_header_size;
+ if (hsk->length > 0 &&
+ (hsk->end_offset-hsk->start_offset >= data_size))

Revision history for this message
Macpaul Lin (macpaul) wrote :

This problem also appears in 12.04

Revision history for this message
Sven Romeike (lun4tic) wrote :

I have that problem in 12.04 and it was definately patched in. a fresh install did not have it.

Revision history for this message
simonthesorcerer (simon-evil-empire) wrote :

I also have this problem in a freshly installed 12.04.

As this problem is gnutls related i tried the workaround found here : http://code.google.com/p/wfuzz/wiki/PyCurlSSLBug
and it worked for me.
The Workaround ist to build PyCurl against openssl instead of gnutls (the version number of the pycurl source packages can be can be another one) :

1. sudo apt-get install build-essential fakeroot dpkg-dev
2. mkdir ~/python-pycurl-openssl
3. cd ~/python-pycurl-openssl
4. sudo apt-get source python-pycurl
5. sudo apt-get build-dep python-pycurl
6. sudo apt-get install libcurl4-openssl-dev
7. sudo dpkg-source -x pycurl_7.19.0-3build1.dsc
8. cd pycurl-7.19.0
9. edit debian/control file and replace all instances of “libcurl4-gnutls-dev” with “libcurl4-openssl-dev”
10. sudo dpkg-buildpackage -rfakeroot -b
11. sudo dpkg -i ../python-pycurl_7.19.0-3build1_i386.deb

Revision history for this message
Macpaul Lin (macpaul) wrote :

simonthesorcerer: Thanks for your posting the workaround solution. But I guess the package on ubuntu still originate from debian (am i correct?) Maybe we can forward this information to debian people. :)

Revision history for this message
Macpaul Lin (macpaul) wrote :

Update for pycurl_7.19.0-4ubuntu3:
I've found in 10_setup.py.dpatch will force HAVE_CURL_GNUTLS=1.
And there is also setup.py force "define_macros.append(('HAVE_CURL_GNUTLS', 1))"
This will seems force the pycurl still compiled with gnutls.
You can replace the value into 0 to avoid if you have this kind of problem, but I'm not sure if this is necessary.

The following is the new method for pycurl_7.19.0-4ubuntu3:

sudo apt-get install build-essential fakeroot dpkg-dev
mkdir ~/python-pycurl-openssl
cd ~/python-pycurl-openssl
sudo apt-get source python-pycurl
sudo apt-get build-dep python-pycurl
sudo apt-get install libcurl4-openssl-dev
sudo dpkg-source -x pycurl_7.19.0-4ubuntu3.dsc
cd pycurl-7.19.0
# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim debian/patches/10_setup.py.dpatch
# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim setup.py
# replace all gnutls into openssl in the following file
sudo vim debian/control
sudo dpkg-buildpackage -rfakeroot -b
sudo dpkg -i ../python-pycurl_7.19.0-4ubuntu3_amd64.deb

Revision history for this message
funicorn (funicorn) wrote :

I have the same problem too. It seems that using apt-add-repository with -y option could avoid the error. Thus I guess it's related to keyboard input disturbing pycurl.

Revision history for this message
Brian Murray (brian-murray) wrote :

In Ubuntu 12.10 add-apt-repository no longer uses pycurl and instead uses urllib2.

Changed in pycurl (Ubuntu):
status: Triaged → Won't Fix
Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

But it's still bug in 12.04...
I think upgrade the developing version is not a good way to fix this bug...

Revision history for this message
Hsin-Yi, Chen (hychen) (ossug-hychen) wrote :

what is the version of python-software-properties you are using?

I can not reproduce in my laptop (12.04 with latest update)

python-software-properties 0.82.7.2

Revision history for this message
Hsin-Yi, Chen (hychen) (ossug-hychen) wrote :

additional information of my laptop

python-software-properties 0.82.7.2
python-pycurl 7.19.0-4ubuntu3
libcurl3-gnutls 7.22.0-3ubuntu4

Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

@hychen
I believe that this bug is depending on the network environment you using
At my residing place (BB寬頻), everything is normal
At school (National Taiwan Ocean University), this problem is 100% reproducible, and I'm forced to use dangerous HTTP to push my commit to GitHub.

Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

Oh, for those trying to build GNUTLS like me, that won't fix the problem.
http://www.mediafire.com/?2jdr5l8a5105o
You may directly install the new version by installing Nettle and GNUTLS package built by myself (please downgrade or remove them after trying)

Revision history for this message
Adam Honse (calcprogrammer1) wrote : Re: [Bug 926548] Re: add-apt-repository fails with gnutls_handshake error

I agree, it depends on your network definitely. When I first submitted
this bug, I was at school (Missouri S&T) but now I graduated and moved,
have not had the problem on my home connection or any other non-school
connection. It might have to do with proxy systems but if we had one at
school it was transparent, no special settings were required other than
registering your MAC to get DHCP address.
On Aug 16, 2012 12:41 PM, "林博仁(Henry Lin)" <email address hidden> wrote:

> Oh, for those trying to build GNUTLS like me, that won't fix the problem.
> http://www.mediafire.com/?2jdr5l8a5105o
> You may directly install the new version by installing Nettle and GNUTLS
> package built by myself (please downgrade or remove them after trying)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/926548
>
> Title:
> add-apt-repository fails with gnutls_handshake error
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/pycurl/+bug/926548/+subscriptions
>

Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

Hi,
I've built pycurl with OpenSSL support and uploaded here.
http://www.mediafire.com/#qwolgqn8vs99z

Note that you need to rebuilt this package if a new version has released and upgraded
And note that Git push issue doesn't fixed by this package, you need to build Git with OpenSSL support to fix that.

Thanks for everyone contributing to this bug report!

Revision history for this message
Bipin (bipin-nag) wrote :

It is unacceptable to have to upgrade to newer distro to get rid of this bug. After all 12.04 is a LTS version and its life time exceeds that of 12.10. 12.04 users will have to live with this bug, or upgrade, which nullifies the meaning of Long Term Stable version. I ask you to change the status back to fixing and work on patches.

I know that bug is related to GnuTLS , and it is breaking many apps that rely on GnuTLS for authentication. grive for example :
keeps getting following errors

[gr::expt::MsgTag*] = gnutls_handshake() failed: The Diffie-Hellman prime sent by the server is not acceptable (not long enough).
[gr::http::CurlCodeTag*] = 35

It also is related to network environment as GnuTLS works fine with direct internet connection, but the machine which is having this issue is behind a proxy connection at my office.

Revision history for this message
Antonio Anastasio Bruto da Costa (antoniobdacosta) wrote :

This is affecting me too. And it is quite bad. It is unacceptable that this bug is not being fixed in an LTS release. I expected more from the Ubuntu developer community.

Revision history for this message
V字龍(Vdragon) (vdragon) wrote :

Hi,
I updated the link at #20 to here:
http://www.mediafire.com/?siz6lxrzd3wvc

However the AMD64 architecture software package is suspected by me as "doesn't work", I'll update the file once I fixed the problem( May need some time as I mainly using i386 architecture).

My solution is mainly based on #11, so you try it out.

Revision history for this message
Guy K. Kloss (guy.kloss) wrote :

I've just stumbled upon this bug report searching for the evil pycurl.error: (35, 'gnutls_handshake() failed: GnuTLS internal error.')

I found a solution by telling cURL what version of SSL to use:

connection.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_SSLv3)

This is where I found this gem: http://diybetfairbots.lefora.com/2010/03/08/tls-handshake-problem-with-pycurl/#post4

Hope that helps,

Guy

Revision history for this message
Glenn Dixon (dixonge) wrote :

MacPaul - your instructions seem to have resolved the issues for me, with one change...

You stated:

"# remove the HAVE_CURL_GNUTLS=1 in the following file
sudo vim setup.py"

I found one section referring to GNUTLS and OPENSSL - they are if statements defining macros.

I had to remove two lines referring to GNUTLS here. Until I did that I got build errors.

Revision history for this message
gberche (guillaume-berche) wrote :

Manual patch of /usr/lib/python2.7/dist-packages/softwareproperties/ppa.py mentionned by Guy Kloss in comment #24 worked for me on precise:

    curl.setopt(pycurl.SSLVERSION, pycurl.SSLVERSION_SSLv3)

Thanks Guy!

Changed in pycurl (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.