Bug 1099243

Summary: Failure to sync against cdn.redhat.com, requires SSLv3 ([Errno 8] _ssl.c:504: EOF occurred in violation of protocol)
Product: [Retired] Pulp Reporter: John Matthews <jmatthew>
Component: rpm-supportAssignee: pulp-bugs
Status: CLOSED NOTABUG QA Contact: pulp-qe-list
Severity: unspecified Docs Contact:
Priority: medium    
Version: 2.4 BetaCC: dgao, fabian, jmatthew, rbarlow, skarmark
Target Milestone: ---Keywords: Triaged
Target Release: 2.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-30 12:38:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Workaround to force sslv3 for https://cdn.redhat.com none

Description John Matthews 2014-05-19 21:53:28 UTC 
Description of problem:

Nectar's use of the Python requests library is causing a problem syncing protected content from Red Hat's CDN (cdn.redhat.com).

The issue is that the CDN requires SSLv3 connections, nectar defaults to the default of urllib3 causing the below error to be displayed:

   [Errno 8] _ssl.c:504: EOF occurred in violation of protocol

Note, issues are also seen with 'wget' talking to CDN, it also requires an explicit setting of SSLv3, --secure-protocol=SSLv3

"curl" does not require this, it works fine by default.




Version-Release number of selected component (if applicable):
python-nectar-1.2.1-1.fc20.noarch

$ rpm -qa | grep pulp
m2crypto-0.21.1.pulp-8.fc20.x86_64
pulp-rpm-admin-extensions-2.4.0-0.16.beta.fc20.noarch
pulp-server-2.4.0-0.16.beta.fc20.noarch
python-isodate-0.5.0-1.pulp.fc20.noarch
python-pulp-client-lib-2.4.0-0.16.beta.fc20.noarch
pulp-rpm-plugins-2.4.0-0.16.beta.fc20.noarch
pulp-selinux-2.4.0-0.16.beta.fc20.noarch
python-pulp-common-2.4.0-0.16.beta.fc20.noarch
python-pulp-rpm-common-2.4.0-0.16.beta.fc20.noarch
python-pulp-bindings-2.4.0-0.16.beta.fc20.noarch
pulp-admin-client-2.4.0-0.16.beta.fc20.noarch
pulp-puppet-plugins-2.4.0-0.16.beta.fc20.noarch
python-kombu-3.0.15-5.pulp.fc20.noarch
python-pulp-puppet-common-2.4.0-0.16.beta.fc20.noarch
pulp-puppet-admin-extensions-2.4.0-0.16.beta.fc20.noarch

How reproducible:


Steps to Reproduce:
1. Create a protected repo where the source is from cdn.redhat.com
2. Attempt to sync the repo
3.

Actual results:

# pulp-admin rpm repo create --repo-id=test --display-name=test --feed https://cdn.redhat.com/content/dist/rhel/rhui/server/5/5Server/i386/mrg-g/2.0/debug --feed-cert ./content_cert.crt --feed-key ./content_cert.key --feed-ca-cert ./cdn.redhat.com-chain.crt --verify-feed-ssl true


Successfully created repository [test]

[root@rhua config]# pulp-admin rpm repo sync run --repo-id test
+----------------------------------------------------------------------+
                    Synchronizing Repository [test]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[\]
... failed

[Errno 8] _ssl.c:504: EOF occurred in violation of protocol


Task Failed

Importer indicated a failed response


Additional info:
Comment 1 John Matthews 2014-05-19 21:56:17 UTC 
Created attachment 897333 [details]
Workaround to force sslv3 for https://cdn.redhat.com
Comment 2 John Matthews 2014-05-19 21:58:16 UTC 
If anyone wants to explore the workaround, it can be applied as:

cd /usr/lib/python2.7/site-packages/nectar/downloaders/
patch -p0 < /path/to/nectar_force_ssl3_for_cdn.patch
Comment 3 Fabian Dammekens 2014-05-27 05:24:25 UTC 
This bug also exists in 2.3 el6

Patched & confirmed working, running:
createrepo-0.9.9-21.2.pulp.el6.noarch
m2crypto-0.21.1.pulp-8.el6.x86_64
mod_wsgi-3.4-1.pulp.el6.x86_64
pulp-admin-client-2.3.1-1.el6.noarch
pulp-puppet-admin-extensions-2.3.1-1.el6.noarch
pulp-puppet-plugins-2.3.1-1.el6.noarch
pulp-rpm-admin-extensions-2.3.1-1.el6.noarch
pulp-selinux-2.3.1-1.el6.noarch
pulp-server-2.3.1-1.el6.noarch
python-isodate-0.5.0-1.pulp.el6.noarch
python-pulp-bindings-2.3.1-1.el6.noarch
python-pulp-client-lib-2.3.1-1.el6.noarch
python-pulp-common-2.3.1-1.el6.noarch
python-pulp-puppet-common-2.3.1-1.el6.noarch
python-pulp-rpm-common-2.3.1-1.el6.noarch
python-pulp-rpm-extension-2.3.1-1.el6.noarch
python-rhsm-1.8.0-1.pulp.el6.x86_64

python-2.6.6-52.el6.x86_64
Comment 4 Randy Barlow 2014-05-29 19:16:35 UTC 
I have been unable to reproduce this issue. Does it happen consistently, or does it happen occasionally? Does it perhaps depend on which repository you are syncing? My entitlement certificate doesn't seem to allow me to access that mrg/demo repository.

I've successfully sync'd RHEL 5 and RHEL 6 server from the CDN, and I've not experienced this issue.
Comment 5 John Matthews 2014-05-30 12:38:12 UTC 
Hi Randy,

The issue is constant and shows up on el6 and f20, I see it for any repo I attempt to sync.   Issue is that Akamai turned on support for "session tickets" right around Apirl 2.

Good news is Akamai is backing out the change, so we do not need to consider changes to nectar.

I'm unsure why you could not reproduce this, perhaps it is related to the entitlement certificate used.  I am using an employee subscription created from the customer portal, I generated a 'RHUI' certificate.  This is a X509 cert where all of the OIDs are embedded in the cert, they are not compressed like the newer form of X509 certs.  


To confirm, no work is required for this BZ.
The fix is on the CDN side and Akamai is implementing that now.