Bug 1284776

Summary: [PATCH] TLS Protocols not supported
Product: [Fedora] Fedora Reporter: Paul Howarth <paul>
Component: proxytunnelAssignee: Mykola Ulianytskyi <lystor>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: lystor, mail
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: proxytunnel-1.9.1-1.fc24 proxytunnel-1.9.1-1.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-04-05 10:10:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch against current git to update to 1.9.1 and add TLS support none

Description Paul Howarth 2015-11-24 08:33:47 UTC 
Created attachment 1098063 [details]
Patch against current git to update to 1.9.1 and add TLS support

The current version of proxytunnel (1.9.0) does not support TLS protocols and is therefore incompatible with default Fedora 23 servers such as httpd with mod_proxy_connect and mod_ssl, where the OpenSSL system profile disables older, less secure protocols such as SSLv2 and SSLv3. The result of this is that connection attempts to servers that have not explicitly re-enabled SSLv2 fail with a less than helpful error message:

$ ssh my-remote.example.com
SSL local to remote proxy enabled
Enter remote proxy password for user paul: 
Local proxy myproxy.example.com resolves to 10.120.34.200
Connected to myproxy.example.com:8080 (local proxy)

Tunneling to my-remote.example.com:443 (remote proxy)
Communication with local proxy:
 -> CONNECT my-remote.example.com:443 HTTP/1.0
 -> Proxy-Connection: Keep-Alive
 -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
 <- HTTP/1.0 200 Connection established

Tunneling to my-remote.example.com:22 (destination)
Communication with remote proxy:
 -> CONNECT my-remote.example.com:22 HTTP/1.0
 -> Proxy-Authorization: Basic cGF2bDpzc3wcm94eTY3MTA=
 -> Proxy-Connection: Keep-Alive
 -> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
error: Socket write error.
ssh_exchange_identification: Connection closed by remote host

There is a fix for this that has already been merged in upstream git:
https://github.com/proxytunnel/proxytunnel/pull/9

I have attached a patch against the proxytunnel package in Fedora git that updates it to the current upstream release 1.9.1, fixes the failure to build in Rawhide (#1239800), and adds the TLS-enabling patch from upstream. The resulting build works for me.

I am happy to co-maintain this package if you are busy at the moment.
Comment 1 Fedora Update System 2016-03-31 09:25:21 UTC 
proxytunnel-1.9.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b17da9f49
Comment 2 Fedora Update System 2016-03-31 09:25:28 UTC 
proxytunnel-1.9.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-26d783e326
Comment 3 Fedora Update System 2016-04-01 15:24:06 UTC 
proxytunnel-1.9.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5b17da9f49
Comment 4 Fedora Update System 2016-04-01 20:55:17 UTC 
proxytunnel-1.9.1-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-26d783e326
Comment 5 Fedora Update System 2016-04-05 10:10:52 UTC 
proxytunnel-1.9.1-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2016-04-13 07:24:13 UTC 
proxytunnel-1.9.1-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.