Bug 742914

Summary: RFE: Support IPv6 in m2crypto
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Suchý <msuchy>
Component: m2cryptoAssignee: Miloslav Trmač <mitr>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: high    
Version: 6.2CC: cperry, ddumas, ebenes, jpazdziora, mzazrivec, pvrabec, syeghiay, zmraz
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: m2crypto-0.20.2-8.el6 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 761596 (view as bug list) Environment:
Last Closed: 2012-06-20 15:12:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 739625, 750571, 761596, 878049    
Attachments:
Description Flags
urlgrabber test case - with changing the host name to point at an ipv4-only or ipv6-only address none

Description Miroslav Suchý 2011-10-03 11:27:43 UTC 
Description of problem:
If you have network with IPv6 only then m2crypto is unusable.
The main problem is that it use AF_INET family when creating sockets. Example (and main problem) is in file:
 /usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py
arround line 37
 self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
This will succed since the machine has IPv4 address (at least 127.0.0.1) but there is no routable machine in IPv4 network.
And on line 170 in connect():
 self.socket.connect(addr)
it will fail with "Network is unreachable" which is true because there is nothing but localhost reachable using AF_INET.
If I change on line 37 s/AF_INET/AF_INET6/ then it start working. But on the other hand it will fail in environment without IPv6 then.

Version-Release number of selected component (if applicable):
m2crypto-0.16-8.el5.x86_64
but el6 and Fedora 15 is affected as well.

How reproducible:
always in IPv6 only network

Steps to Reproduce:
1. set your machine to use only IPv6:
--- /etc/sysconfig/network-scripts/ifcfg-eth0.orig      2011-10-03 13:23:41.000000000 +0200
+++ /etc/sysconfig/network-scripts/ifcfg-eth0   2011-10-03 11:58:09.000000000 +0200
@@ -1,4 +1,5 @@
 # Xen Virtual Ethernet
 DEVICE=eth0
-BOOTPROTO=dhcp
+#BOOTPROTO=dhcp
+BOOTPROTO=none
 ONBOOT=yes

and run
ifdown eth0
ifup eth0

2. Run this script:
from M2Crypto.SSL.Connection import Connection
from M2Crypto import SSL
ctx = SSL.Context('sslv23')
a = Connection(ctx)
a.connect(('machine.in.ipv6.only.network.com', 443))

where the machine can be even the machine where you run that script. You just have to use FQDN and not "localhost".

  
Actual results:
Traceback (most recent call last):
  File "/tmp/p", line 10, in ?
    a.connect(('machine.in.ipv6.only.network.com', 443))
  File "/usr/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 170, in connect
    self.socket.connect(addr)
  File "<string>", line 1, in connect
socket.gaierror: (-2, 'Name or service not known')

Expected results:
m2crypto connect using IPv6 when IPv4 is not available.
Comment 1 RHEL Program Management 2011-10-03 11:48:53 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unfortunately unable to
address this request at this time. Red Hat invites you to
ask your support representative to propose this request, if
appropriate and relevant, in the next release of Red Hat
Enterprise Linux. If you would like it considered as an
exception in the current release, please ask your support
representative.
Comment 3 Miloslav Trmač 2012-01-10 17:11:01 UTC 
M2Crypto.SSL.Connection mirrors Python's socket.socket, so it probably makes sense that it works with a specific address family, similarly to Python's socket.socket.

The handling of different address families would therefore belong into the caller, in this case M2Crypto.httpslib.HTTPSConnection.  This class is used by urlgrabber, so this change also fixes the test case in bug 739625 comment 4.

I have sent a patch upstream: https://bugzilla.osafoundation.org/show_bug.cgi?id=13044 .  Would this, instead of changing SSL.Connection as requested in this bug, work for you?
Comment 4 Miroslav Suchý 2012-01-11 10:28:01 UTC 
Most probably yes. I will have to test it, but we use urlgrabber. So if that patch fix this problem I really do not care if the fix is in urlgrabber of python or in m2crypto.

I will test the proposed patch and will let you know in few days.
Comment 5 Miloslav Trmač 2012-01-11 13:09:05 UTC 
(In reply to comment #4)
> Most probably yes. I will have to test it, but we use urlgrabber. So if that
> patch fix this problem I really do not care if the fix is in urlgrabber of
> python or in m2crypto.
> 
> I will test the proposed patch and will let you know in few days.

Thanks; note that urlgrabber (unless specifically configured otherwise) only uses M2Crypto in RHEL5, not in RHEL6.
Comment 6 Eduard Benes 2012-01-17 16:47:34 UTC 
(In reply to comment #4)
> Most probably yes. I will have to test it, but we use urlgrabber. So if that
> patch fix this problem I really do not care if the fix is in urlgrabber of
> python or in m2crypto.
> 
> I will test the proposed patch and will let you know in few days.

Hi Mirek, could you please confirm that the fix proposed in comment #3 resolves the issue for you also in RHEL 6? According to comments #0, #4 and #5 there is a risk this would resolve the issue only for RHEL 5, but does not work for RHEL 6.
Thanks!
Comment 7 Miloslav Trmač 2012-01-19 19:58:53 UTC 
Per bug #761596 comment 5, this patch fixes the issue for RHEL5 - so even if something different were necessary for RHEL6, we will need this patch in RHEL6 so that we don't introduce a RHEL5->RHEL6 regression.


Miroslav/Milan, can you confirm that no other changes will be necessary for RHEL6, please?
Comment 8 Milan Zázrivec 2012-01-20 10:27:48 UTC 
I can confirm, that the patch as shown in

    https://bugzilla.osafoundation.org/attachment.cgi?id=5743

is indeed a valid fix for the problem and reproducer described in

    https://bugzilla.osafoundation.org/show_bug.cgi?id=13044#c0

Nonetheless, this patch does not fix the problem described in the initial
comment of this bug report, i.e. the following reproducing script:

from M2Crypto.SSL.Connection import Connection
from M2Crypto import SSL
ctx = SSL.Context('sslv23')
a = Connection(ctx)
a.connect(('machine.in.ipv6.only.network.com', 443))


From Connection.__init__:
...
    self.socket = socket.socket(family, socket.SOCK_STREAM)
    self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
Comment 9 Miloslav Trmač 2012-01-20 10:38:58 UTC 
(In reply to comment #8)
> Nonetheless, this patch does not fix the problem described in the initial
> comment of this bug report, i.e. the following reproducing script:
> 
> from M2Crypto.SSL.Connection import Connection
> from M2Crypto import SSL
> ctx = SSL.Context('sslv23')
> a = Connection(ctx)
> a.connect(('machine.in.ipv6.only.network.com', 443))

That is true, but is that relevant for Satellite?  See comment 3 for justification.
Comment 17 Miroslav Suchý 2012-03-05 12:53:56 UTC 
With
 export URLGRABBER_DEBUG=1,debug.txt
the spacealk-reposync just hang up, providing no useful output. Weird to me.
Comment 19 Miloslav Trmač 2012-03-12 16:05:57 UTC 
Created attachment 569445 [details]
urlgrabber test case - with changing the host name to point at an ipv4-only or ipv6-only address

I have:

* Grepped both spacewalk master and satellite master branch:
  - M2Crypto is used in client/tools/rhn-virtualization/virtualization/localvdsm.py , but this is not related to sync and I've been told by Jan to basically ignore it
  - M2Crypto is imported in client/rhel/yum-rhn-plugin/rhnplugin.py , but only to configure behavior / catch an exception, no direct use (but urlgrabber is used)
  - There is not a single direct instantiation of M2Crypto.SSL.Connection (as mentioned as a test case in comment#0 item 2) anywhere
  - The only use of urlgrabber is in the above-mentioned rhnplugin.py
* Tried to emulate yum's use of urlgrabber, as suggested in comment #14 (and bug #739625 comment #4) - see attachment, against both IPv4 and IPv6.  Both worked fine in RHEL6, and strace showed the M2Crypto is not used at all.

In summary, I can't see that M2Crypto is used in RHN Satellite running on RHEL6 at all, except for localvdsm.py.  The use of M2Crypto in localvdsm.py _does_ trigger a bug that would be fixed by the patch in comment#3.

So, to proceed, I think we need either

* A use case of RHN Satellite that is broken by M2Crypto, with a specific test case (to be able to fix it at all)

or

* An argument that localvdsm.py is important, along with a confirmation that there are no other M2Crypto-related problems with RHN Satellite on RHEL6.  (so that QE would accept the patch in comment#3)

msuchy, mzazrivec?
Comment 27 errata-xmlrpc 2012-06-20 15:12:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0975.html