Bug 647828

Summary: Older clients are not able to connect to pulp on f13
Product: [Retired] Pulp Reporter: Preethi Thomas <pthomas>
Component: z_otherAssignee: John Matthews <jmatthew>
Status: CLOSED CURRENTRELEASE QA Contact: Preethi Thomas <pthomas>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Triaged
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-08-16 14:20:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 647488    

Description Preethi Thomas 2010-10-29 15:36:58 UTC 
Description of problem:

If I have bound to a repo on a remote server which is f13 I get  the following error on pulp client
[root@localhost ~]# yum repolist
https://preethi.usersys.redhat.com/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - ""
Trying other mirror.
repo id                      repo name                                status
f12_x86_64_update            f12-repo--arch=x86_64                    enabled: 0
fedora                       Fedora 12 - x86_64                       enabled: 0
fedora-pulp                  Pulp Testing Builds                      enabled: 0
updates                      Fedora 12 - x86_64 - Updates             enabled: 0
repolist: 0


Here is my conversation with John for reference

<preethi_> jmatthews, so I have a client & server. I  bind the client to the repo on the server
<preethi_> now when I try yum repolist I see this
<preethi_> https://mypulpserver/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - ""

<jmatthews> looks like httpd is complaing about how the client is negotiating the ssl connection
<jmatthews> I'm not certain of the fix, but I would like to try something
<preethi> ok
<jmatthews> may I upgraded yum on your client?  you seem to be running an older yum, I think a new one may fix it
<preethi> sure
<preethi> was on a call with prad
<jmatthews> I found another fix
<jmatthews> there is also a server option we can use
<jmatthews> would you write up a bug on the behavior you saw, assign it to me, I will put more info in the bug and will ask the team for recommended fix.  
<jmatthews> seems like if we want to allow older clients we need to add a pararm to apache but it may be a security concern
<preethi> I will do that. thanks john
<jmatthews> to confirm, main issue is that older clients are not able to connect to pulp on f13, they receive an error:  "SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled"
Comment 1 John Matthews 2010-10-29 15:51:38 UTC 
# yum --disablerepo=* --enablerepo="f12_x86_64_update" repolist
Config time: 0.046
repo time: 0.000
Yum Version: 3.2.25
COMMAND: yum --disablerepo=* --enablerepo=f12_x86_64_update repolist
Installroot: /
https://preethi.usersys.redhat.com/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - ""
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: f12_x86_64_update. Please verify its path and try again


# tail -f /var/log/httpd/ssl_error_log
[Fri Oct 29 10:49:16 2010] [error] [client 10.16.120.161] Re-negotiation request failed
[Fri Oct 29 10:49:16 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Fri Oct 29 10:50:47 2010] [error] [client 10.16.120.161] Re-negotiation request failed
[Fri Oct 29 10:50:48 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Fri Oct 29 11:08:15 2010] [error] [client 10.16.120.161] Re-negotiation request failed
[Fri Oct 29 11:08:15 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled
[Fri Oct 29 11:14:39 2010] [error] [client 10.16.120.161] Re-negotiation request failed
[Fri Oct 29 11:14:39 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled




I see two options.  
1) Upgrade the client, client was using yum 3.2.25 on F12.  I am using 3.2.27 on F12 without issue

2) Modify server to allow "insecure renegotiations".
Add "SSLInsecureRenegotiation on" to /etc/httpd/conf.d/pulp.conf
Comment 2 John Matthews 2010-10-29 16:16:57 UTC 
http://git.fedorahosted.org/git/?p=pulp.git;a=commit;h=ee38801c2977b8025eebe87b72d84399bbb499ca
Comment 3 John Matthews 2010-10-29 16:17:50 UTC 
Decided to go with decision 2 so we would be flexible and allow more yum clients ability to connect to pulp and retrieve updates.
Comment 4 Jay Dobies 2010-10-29 16:58:28 UTC 
Fixed in 0.77.
Comment 5 Jay Dobies 2010-11-03 19:35:30 UTC 
Fixed in build 0.78.
Comment 6 Preethi Thomas 2010-12-06 16:13:08 UTC 
verified
[root@10 ~]# rpm -q pulp
pulp-0.0.111-1.fc14.noarch


cat /etc/httpd/conf.d/pulp.conf 


# allow older yum clients to connect, see bz 647828
SSLInsecureRenegotiation on
Comment 7 Preethi Thomas 2011-08-16 14:20:30 UTC 
Closing with Community Release 15

pulp-0.0.223-4.