Bug 654055 – https access to git

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 654055 - https access to git


Summary:	https access to git


Status:	RESOLVED FIXED

Product:	sysadmin
Classification:	Infrastructure
Component:	Git
Version:	unspecified
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	Jeff Schroeder
QA Contact:	GNOME Sysadmins

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2011-07-05 21:24 UTC by Carnë Draug
Modified:	2013-03-05 20:15 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Carnë Draug 2011-07-05 21:24:28 UTC

Hi

I have some problem accessing to some gnome repos. Because I'm behind my university proxy I can use git protocol (it's blocked). Access through http used to work but recently it stopped because of this bug http://squid-web-proxy-cache.1019090.n4.nabble.com/ERR-INVALID-REQ-on-www-megaupload-com-td2249834.html

I got it tracked down with the help of bkor at #gnome-hackers. if I understood it correctly, the squid is getting a request from git that can't handle. By using https instead of http, the proxy wouldn't have to handle any request, just forward the traffic to me (if I understood it correctly, I know very little of network).

I used pastebin to paste only the lines where the error starts to show when using ngrep and trying to clone zenity http://pastebin.com/G1NaMWtB

Comment 1 Olav Vitters 2011-07-05 21:27:39 UTC

In short:
Standard Squid support the following HTTP header:
> Expect: 100-continue
This as squid only does HTTP/1.0.

Git adds this in certain cases (not always). So it breaks down for zenity, but not for others.

Only quick solution would be setting up https, so squid isn't involved anymore.

Comment 2 Olav Vitters 2011-07-05 21:31:13 UTC

ehr.. Squid does NOT support that header

Comment 3 Carnë Draug 2011-07-10 17:50:13 UTC

Hi

I'm just wondering if there's any work on this? I've been unable to fetch any changes from the repository in quite a while now.

It's not only zenity that fails. gedit, gedit-plugins and gtksourceview also fail.

Comment 4 Olav Vitters 2012-05-23 13:39:40 UTC

Jeff,

Could you change the level 2 certificate and add:
1. git.gnome.org
2. Either: *.bugzilla-attachments.gnome.org (more secure) or bugzilla-attachments.gnome.org

Comment 5 Andrea Veri 2012-05-23 16:50:23 UTC

Please do not set up a completely new certificate (since it's not possible to add new DNS names after the certificate has been created, thus we should revoke the one we have now) but create another cert with the missing hosts instead.

Comment 6 Olav Vitters 2012-05-23 20:15:40 UTC

Bugzilla is on the same host, and 2 certificates on one IP address is bad. So only a git.gnome.org cert I think. Maybe we should check if we need more.

Comment 7 Andrea Veri 2012-05-30 11:46:01 UTC

1. signal/nagios has its own self-signed certificate, I guess we don't need any CA signed cert for that.

2. we'll probably move bugzilla to its own VM, so we can create a single cert for git.g.o and enable SSL there.

Comment 8 Olav Vitters 2013-03-05 20:15:22 UTC

this was fixed by Andrea

need to test bugbot