Bug 486324

Summary: (yum with proxy) and (repo with https uri) / ssl request doesn't work throught proxy
Product: Red Hat Enterprise Linux 5 Reporter: Leon Fauster <leonfauster>
Component: yumAssignee: packaging-team-maint
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: hmiles, james.antill, jan.public, mathieu-acct, me, qguo, zpavlas
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-15 15:29:00 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Leon Fauster 2009-02-19 07:00:10 EST
------------------------------------------------
Description of problem:
------------------------------------------------

Access to a ssl enabled local repository works fine without proxy

Access to a ssl enabled local repository with proxy doens't works


Repo-file:

[privEL]
name=privEL-$releasever - Base
#mirrorlist=https://priv.local/privEL/centos/?release=$releasever&arch=$basearch&repo=os
baseurl=https://35uvi7324657e65ufztf9:8utf7tfzfd5ezstrc3246@priv.local/privEL/centos/$releasever/os/$basearch/
gpgcheck=0
#gpgkey=https://priv.local/privEL/centos/RPM-GPG-KEY-privEL-5
enabled=0


CLI:

[root@l ~]# yum --noplugins --enablerepo=privEL update
https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 400: Bad Request
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: privEL. Please verify its path and try again


Proxys Log says:

2009/02/19 12:06:25| fwdDispatch: Cannot retrieve 'https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml'
1235042076.819     10 213.160.26.73 TCP_MISS/400 2189 GET https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml - DIRECT/88.84.156.90 text/html

See also: http://man.chinaunix.net/newsoft/squid/Squid_FAQ/FAQ-11.html#ss11.34





------------------------------------------------
Version-Release number of selected component (if applicable):
------------------------------------------------
yum-3.2.8-9.el5


------------------------------------------------
How reproducible:
------------------------------------------------

Add repo file above and 

 proxy=http://proxy:3128

into yum.conf

and execute 
 yum --enablerepo=privEL update

  
------------------------------------------------
Actual results:
------------------------------------------------

[root@l ~]# yum --noplugins --enablerepo=privEL update
https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 400: Bad Request
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: privEL. Please verify its path and try again


"[Errno 14] HTTP Error 400"  http ???



------------------------------------------------
Expected results:
------------------------------------------------

Should connect to proxy correctly and get repomd.xml

Without proxy works fine!
Comment 1 Leon Fauster 2009-02-19 07:18:18 EST
The usability of the proxy is as follows confirmed with curl:

CLI:

$ export https_proxy=http://proxy:3128

$ curl --insecure https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml

connects through the proxy.


It doens't matter if i use basic http authentication or not:

https://35uvi7324657e65ufztf9:8utf7tfzfd5ezstrc3246@priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml
https://priv.local/privEL/centos/5/os/x86_64/repodata/repomd.xml

both are usable (if i change the config of repos webserver of course)

Regards P.M.
Comment 2 Leon Fauster 2009-02-23 16:34:47 EST
Not sure if this is related:

http://bugs.python.org/issue1424152
Comment 3 seth vidal 2009-08-03 14:19:33 EDT
https://bugzilla.redhat.com/show_bug.cgi?id=484491

the last 2 comments. Not for rhel5 - but something for the future.
Comment 5 James Antill 2013-03-12 16:28:21 EDT
 This should be fixed for RHEL-6.


This request was evaluated by Red Hat Engineering for inclusion in a Red 
Hat Enterprise Linux maintenance release.

Red Hat does not currently plan to provide this change in a Red Hat 
Enterprise Linux update release for currently deployed products.

With the goal of minimizing risk of change for deployed systems, and in 
response to customer and partner requirements, Red Hat takes a 
conservative approach when evaluating enhancements for inclusion in 
maintenance updates for currently deployed products. The primary 
objectives of update releases are to enable new hardware platform 
support and to resolve critical defects.
Comment 6 Wylie 2013-07-09 12:35:16 EDT
This is causing a big issue for DISA, and some Department of Defense systems.  Just FYSA.  Looks bad on Redhat not to fix in 5.x.
Comment 9 Zdeněk Pavlas 2013-09-26 10:10:05 EDT
(In reply to Leon Fauster from comment #2)
> Not sure if this is related:
> 
> http://bugs.python.org/issue1424152

This is the same issue, as in rhel5, urlgrabber uses urllib2. To use HTTP CONNECT tunelling, we'd need a patched Python. Python-2.4.3 shipped in rhel-5.10 does not include the patch (it's included in current Python-2.7 though).

rhel-5.10 $ grep 'def set_tunnel' /usr/lib/python*/httplib.py
=> no match
Comment 11 Andrius Benokraitis 2013-10-15 15:29:00 EDT
No additional minor releases are planned for Production Phase 2 in Red Hat Enterprise Linux 5, and therefore Red Hat is closing this bugzilla as it does not meet the inclusion criteria as stated in:
https://access.redhat.com/site/support/policy/updates/errata/#Production_2_Phase