Bug 208852

Summary: HTTPS proxy support does not work for the yum client
Product: Red Hat Enterprise Linux 5 Reporter: James Bowes <jbowes>
Component: yum-rhn-pluginAssignee: Bryan Kearney <bkearney>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0CC: bkearney, rhn-bugs, rnewberr, wnefal+redhatbugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 5.0.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-11-13 15:44:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 210956, 210963, 210966, 210975, 211862    
Bug Blocks: 206941    
Attachments:
Description Flags
proxy CONNECT support none

Description James Bowes 2006-10-02 13:18:31 UTC 
Python's default proxy support for HTTPS connects to a proxy just like it would
for http, and has the proxy GET from the https url. Thankfully, this fails, as
there are all kinds of security problems with this.

What we need is to have the client connect to the proxy and issue a CONNECT
command, which allows the client to directly connect to RHN via a tunnel through
the proxy.

I'm not sure at what level we would want to implement this.
Comment 1 James Bowes 2006-10-05 20:12:29 UTC 
I've submitted a patch to M2Crypto that implements CONNECT support.

See bug 6975 in M2Crypto's bugzilla:
https://bugzilla.osafoundation.org/show_bug.cgi?id=6975
Comment 6 James Bowes 2006-10-16 17:42:42 UTC 
Created attachment 138597 [details]
proxy CONNECT support

The patch against m2crypto
Comment 7 RHEL Program Management 2006-10-17 14:49:26 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Comment 9 Roman Lazarev 2006-10-19 13:58:19 UTC 
This blocker corresponds to release criteria 19c5: yum connects through
authenticated/unauthenticated http proxy from client to RHN
Comment 10 Jay Turner 2006-10-19 14:06:57 UTC 
QE ack for RHEL5B2.
Comment 14 James Bowes 2006-10-24 20:56:51 UTC 
This should be fixed as of yum-rhn-plugin-0.1.9-3
Comment 15 James Bowes 2006-10-26 18:04:19 UTC 
*** Bug 212403 has been marked as a duplicate of this bug. ***
Comment 16 Beth Nackashi 2006-10-29 21:15:36 UTC 
I tried to retest this with yum-rhn-plugin-0.2.0-1.el5 and m2crypto-0.16-6.el5
 on the client.  The squid log from cellar.rhndev (our http proxy) says:

1162154752.339    173 192.168.34.90 TCP_MISS/200 3500 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -
1162154752.455    110 192.168.34.90 TCP_MISS/200 3612 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -

which I guess is correct.

However, if I try to actually do any yumming through this http proxy, I get
errors depending on my configuration.

Configuration 1:  client -> RHN proxy -> non-authenticated http proxy -> RHN
============================================================================
http proxy log:

1162156041.443    216 192.168.32.35 TCP_MISS/200 2273 POST
http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml
1162156041.586    129 192.168.32.35 TCP_MISS/200 2405 POST
http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml
1162156042.147      0 192.168.32.35 TCP_DENIED/403 1370 CONNECT
test07.rhndev.redhat.com:80 - NONE/- text/html

RHN proxy log:
no entries

client error:
http://test07.rhndev.redhat.com/XMLRPC/GET-REQ/rhel-x86_64-server-5-beta/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error Proxy connection failed: 403>
Trying other mirror.
Error: Cannot open/read repomd.xml file for repository: rhel-x86_64-server-5-beta

** The above configuration works fine if I remove the http proxy and just use
the RHN proxy.


Configuration 2:  client -> non-authenticated http proxy -> RHN
===============================================================
http proxy log:

1162156145.684    177 192.168.34.90 TCP_MISS/200 3500 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -
1162156145.802    113 192.168.34.90 TCP_MISS/200 3612 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -

client error:
https://xmlrpc.rhn.webqa.redhat.com/XMLRPC/GET-REQ/rhel-i386-server-5-beta/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error The connect operation timed out>
Trying other mirror.
Error: Cannot open/read repomd.xml file for repository: rhel-i386-server-5-beta

So, I would say proxy support still does not work for the yum client,
authenticated or not.
Comment 18 James Bowes 2006-10-30 16:05:08 UTC 
What versions of yum and urlgrabber are you using? I was able to use a proxy
fine with the following rpms:

rhn-client-tools-0.2.7-1.el5
m2crypto-0.16-6.el5
python-urlgrabber-3.1.0-1
yum-3.0-5.3
yum-rhn-plugin-0.2.0-1.el5
Comment 19 Beth Nackashi 2006-10-31 17:12:15 UTC 
Both configurations work for x86_64 client with the following package profile:

rhn-client-tools-0.2.7-1.el5
m2crypto-0.16-6.el5
python-urlgrabber-3.1.0-1
yum-3.0-5.3
yum-rhn-plugin-0.2.0-1.el5
rhnlib-2.2.5-1.el5

For i386 client, same.
Comment 20 Beth Nackashi 2006-10-31 21:15:23 UTC 
Also works with authenticated http proxy.
Comment 21 Jay Turner 2006-11-13 15:44:07 UTC 
Closing as the fixes are included in the latest RHEL5 trees (20061111.0)