:: Re: [devuan-dev] Introducing apt-pa…
Inizio della pagina
Delete this message
Reply to this message
Autore: onefang
Data:  
To: devuan-dev
Oggetto: Re: [devuan-dev] Introducing apt-panopticon, my Devuan mirror checker script.
On Thu, 7 Nov 2019 00:26:28 +1000 onefang said :
> On Wed, 6 Nov 2019 15:16:45 +0100 Irrwahn said :
> > onefang wrote on 06.11.19 12:38:
> >
> > [SNIP]
> >
> > Okay, I'm afraid you can scratch a good portion of my earlier
> > reply, as these repeated messages in the server log just caught my
> > attention (sorry for not picking up on it earlier, my bad):
> >
> > [***] [ssl:error] [pid ***] AH02032: Hostname 95.216.15.86 provided
> > via SNI and hostname devuan.packet-gain.de provided via HTTP have no
> > compatible SSL setup


Have you been getting a bunch of those messages once an hour from my
sledjhamr.org server?

> > Can't argue with that, as it would appear you're not correctly
> > setting the desired hostname via SNI. So yeah, those requests are
> > bound to fail. I humbly suggest to review the SNI parameters you
> > pass to whatever TLS capable tool you use to perform the
> > tests. ;-)
>
> It's past midnight, I should be sleeping, and I have to get up very
> early in the morning for the 06:30 Devuan dev meeting. Or sleep in
> and miss it. lol


I managed to attend the meeting, and we decided that I'll be setting up
apt-panopticon to regularly do tests (once I have more of the tests
working properly), and reporting the results officially. There will
eventually be graphs and alerts.

> I'll look at this tomorrow.


One of the design goals is to allow mirror operators to run
apt-panopticon themselves. So potential mirror operators can test
their setup before being added to the mirror list, and existing mirror
operators can use it to test any changes / fixes they make. So making
it easy to install and keep updated was a big design choice. For
various reasons I chose to target Devuan ASCII, and only those
dependencies that exist in ASCIIs package repo. Though ASCII-backports
would be allowed.

The language chosen is Lua. So lua-socket was used to provide the
HTTP / HTTPS / FTP / EMAIL functions. Lua-socket is commonly used for
these things in Lua scripts.

One of the love hate things about Debian based distros like Devuan is
that a lot of the packages will be somewhat older versions. This is
"love" coz it means things are well tested and very stable. This is
"hate" coz sometimes you get lack of features and old bug fixes that
have not been backported yet. This I think is the source of the
problem.

I found out (earlier in development) that the version of lua-socket in
ASCII doesn't really support HTTPS, but it quietly switches that to
HTTP. I found out when testing a mirror that redirected HTTP requests
to HTTPS, and my "test redirections code" followed that redirect to
HTTPS, which then was silently switched to HTTP by lua-socket, which
then got redirected back to HTTPS ...

The latest version of lua-socket that isn't available for ASCII, not
even in backports, properly supported HTTPS. Lua-sec is essentially a
wrapper around lua-socket that does support HTTPS, so I now use both.
They are both a few versions behind, and there are several fixes for
the SSL parts of lua-sec.

Your fix allowed this all to work with your server, so todays testing
couldn't use your server, but since mirror.stinpriza.org is still
showing the same issue (even if it's for different reasons), I could at
least test against that. Performing similar tests with curl and wget
fail unless I told them not to check the certificates.

So switching to using curl or wget to do those tests might not help.
There is a lua-curl, though it's hard to tell which of several
different things with that or similar name it actually is without
digging deep.

One thing I should do is to check what apt-transport-https actually
does in this situation.

I have various options to investigate. Today it got to 33 C, and
tomorrow it'll hit 37 C, though it'll cool down to merely 30 C the next
day. I have no air conditioning. I may not get much work done for a
while.

--
A big old stinking pile of genius that no one wants
coz there are too many silver coated monkeys in the world.