Bug 1153375
| Summary: | Connections default to using TLSv1.0 and should use TLSv1.2 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Adrian Likins <alikins> | |
| Component: | python-rhsm | Assignee: | candlepin-bugs | |
| Status: | CLOSED ERRATA | QA Contact: | John Sefler <jsefler> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 7.0 | CC: | alikins, jmolet, wpoteat | |
| Target Milestone: | rc | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1156565 1156567 1186488 (view as bug list) | Environment: | ||
| Last Closed: | 2015-03-05 13:15:42 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1153811, 1156565, 1156567, 1186488 | |||
This bug is verified in comment 7 . The timeout confusion will be cleared up in cloned bug 1186488 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0502.html |
With this fix sslClients cannot connect to candlepin using SSLv3: jmolet|~| ❯ openssl s_client -connect jmolet-cp0.usersys.redhat.com:8443 -ssl3 CONNECTED(00000003) 140693806241648:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:345: --- and subscription manager is able to successfully connect: # subscription-manager register --username=testuser1 --password=password --org=admin The system has been registered with ID: 52e2cb6d-75aa-4c14-ac8b-a767d1e701bd now, switching the server to sslv3 only: # cat /etc/tomcat/server.xml | grep sslEnabledProtocols <Connector SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" SSLProtocol="TLS" keystoreFile="conf/keystore" truststoreFile="conf/keystore" keystorePass="password" keystoreType="PKCS12" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA" truststorePass="password" port="8443" sslEnabledProtocols="SSLv3" protocol="HTTP/1.1" sslEnabledProtocol="SSLv3"/> #service tomcat restart On the client, it cannot connect (as expected): # subscription-manager register --username=testuser1 --password=password --org=admin Unable to verify server's identity: unsupported protocol in /etc/rhsm/rhsm.log: 2015-01-23 15:49:55,886 [DEBUG] subscription-manager:29573 @connection.py:469 - Making request: GET /candlepin/ 2015-01-23 15:49:55,897 [ERROR] subscription-manager:29573 @managercli.py:161 - Error during registration: unsupported protocol 2015-01-23 15:49:55,897 [ERROR] subscription-manager:29573 @managercli.py:162 - unsupported protocol Traceback (most recent call last): File "/usr/share/rhsm/subscription_manager/managercli.py", line 1065, in _do_command self.options.environment) File "/usr/share/rhsm/subscription_manager/managercli.py", line 1163, in _get_environment_id supports_environments = cp.supports_resource('environments') File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 719, in supports_resource self._load_supported_resources() File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 706, in _load_supported_resources resources_list = self.conn.request_get("/") File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 573, in request_get return self._request("GET", method) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 476, in _request conn.request(request_type, handler, body=body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 973, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 791, in send self.connect() File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 58, in connect sock.connect((self.host, self.port)) File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 185, in connect ret = self.connect_ssl() File "/usr/lib64/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 178, in connect_ssl return m2.ssl_connect(self.ssl, self._timeout) SSLError: unsupported protocol this ONLY happens for register, however, and other commands either get a traceback or a timeout: (in this example I was registered against candlepin before enforcing SSLv3 serverside) [root@jmolet-vm0 ~]# subscription-manager unregister Unable to verify server's identity: timed out in /etc/rhsm/rhsm.conf: 2015-01-23 15:47:14,829 [DEBUG] subscription-manager:29476 @connection.py:469 - Making request: GET /candlepin/ 2015-01-23 15:48:14,893 [ERROR] subscription-manager:29476 @utils.py:250 - Timeout error while checking server version 2015-01-23 15:48:14,894 [ERROR] subscription-manager:29476 @utils.py:251 - timed out Traceback (most recent call last): File "/usr/share/rhsm/subscription_manager/utils.py", line 244, in get_server_versions if cp.supports_resource("status"): File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 719, in supports_resource self._load_supported_resources() File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 706, in _load_supported_resources resources_list = self.conn.request_get("/") File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 573, in request_get return self._request("GET", method) File "/usr/lib64/python2.7/site-packages/rhsm/connection.py", line 476, in _request conn.request(request_type, handler, body=body, headers=headers) File "/usr/lib64/python2.7/httplib.py", line 973, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.7/httplib.py", line 1007, in _send_request self.endheaders(body) File "/usr/lib64/python2.7/httplib.py", line 969, in endheaders self._send_output(message_body) File "/usr/lib64/python2.7/httplib.py", line 829, in _send_output self.send(msg) File "/usr/lib64/python2.7/httplib.py", line 791, in send self.connect() File "/usr/lib64/python2.7/site-packages/M2Crypto/httpslib.py", line 73, in connect raise error SSLTimeoutError: timed out I'm not sure we should care about cases other than register (since ultimately sub-man client wont ever talk to a candlepin with sslv3 only - which is what we want), but ideally there would be the same error of "unsupported protocol"