1099243 – Failure to sync against cdn.redhat.com, requires SSLv3 ([Errno 8] _ssl.c:504: EOF occurred in violation of protocol)

Bug 1099243 - Failure to sync against cdn.redhat.com, requires SSLv3 ([Errno 8] _ssl.c:504: EOF occurred in violation of protocol)

Summary: Failure to sync against cdn.redhat.com, requires SSLv3 ([Errno 8] _ssl.c:504...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Pulp
Classification:	Retired
Component:	rpm-support
Sub Component:
Version:	2.4 Beta
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Target Release:	2.4.0
Assignee:	pulp-bugs
QA Contact:	pulp-qe-list
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-19 21:53 UTC by John Matthews
Modified:	2014-05-30 12:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-05-30 12:38:12 UTC
Embargoed:

Attachments	(Terms of Use)
Workaround to force sslv3 for https://cdn.redhat.com (963 bytes, patch) 2014-05-19 21:56 UTC, John Matthews	no flags	Details \| Diff
View All

Description John Matthews 2014-05-19 21:53:28 UTC

Description of problem:

Nectar's use of the Python requests library is causing a problem syncing protected content from Red Hat's CDN (cdn.redhat.com).

The issue is that the CDN requires SSLv3 connections, nectar defaults to the default of urllib3 causing the below error to be displayed:

   [Errno 8] _ssl.c:504: EOF occurred in violation of protocol

Note, issues are also seen with 'wget' talking to CDN, it also requires an explicit setting of SSLv3, --secure-protocol=SSLv3

"curl" does not require this, it works fine by default.




Version-Release number of selected component (if applicable):
python-nectar-1.2.1-1.fc20.noarch

$ rpm -qa | grep pulp
m2crypto-0.21.1.pulp-8.fc20.x86_64
pulp-rpm-admin-extensions-2.4.0-0.16.beta.fc20.noarch
pulp-server-2.4.0-0.16.beta.fc20.noarch
python-isodate-0.5.0-1.pulp.fc20.noarch
python-pulp-client-lib-2.4.0-0.16.beta.fc20.noarch
pulp-rpm-plugins-2.4.0-0.16.beta.fc20.noarch
pulp-selinux-2.4.0-0.16.beta.fc20.noarch
python-pulp-common-2.4.0-0.16.beta.fc20.noarch
python-pulp-rpm-common-2.4.0-0.16.beta.fc20.noarch
python-pulp-bindings-2.4.0-0.16.beta.fc20.noarch
pulp-admin-client-2.4.0-0.16.beta.fc20.noarch
pulp-puppet-plugins-2.4.0-0.16.beta.fc20.noarch
python-kombu-3.0.15-5.pulp.fc20.noarch
python-pulp-puppet-common-2.4.0-0.16.beta.fc20.noarch
pulp-puppet-admin-extensions-2.4.0-0.16.beta.fc20.noarch

How reproducible:


Steps to Reproduce:
1. Create a protected repo where the source is from cdn.redhat.com
2. Attempt to sync the repo
3.

Actual results:

# pulp-admin rpm repo create --repo-id=test --display-name=test --feed https://cdn.redhat.com/content/dist/rhel/rhui/server/5/5Server/i386/mrg-g/2.0/debug --feed-cert ./content_cert.crt --feed-key ./content_cert.key --feed-ca-cert ./cdn.redhat.com-chain.crt --verify-feed-ssl true


Successfully created repository [test]

[root@rhua config]# pulp-admin rpm repo sync run --repo-id test
+----------------------------------------------------------------------+
                    Synchronizing Repository [test]
+----------------------------------------------------------------------+

This command may be exited via ctrl+c without affecting the request.


Downloading metadata...
[\]
... failed

[Errno 8] _ssl.c:504: EOF occurred in violation of protocol


Task Failed

Importer indicated a failed response


Additional info:

Comment 1 John Matthews 2014-05-19 21:56:17 UTC

Created attachment 897333 [details]
Workaround to force sslv3 for https://cdn.redhat.com

Comment 2 John Matthews 2014-05-19 21:58:16 UTC

If anyone wants to explore the workaround, it can be applied as:

cd /usr/lib/python2.7/site-packages/nectar/downloaders/
patch -p0 < /path/to/nectar_force_ssl3_for_cdn.patch

Comment 3 Fabian Dammekens 2014-05-27 05:24:25 UTC

This bug also exists in 2.3 el6

Patched & confirmed working, running:
createrepo-0.9.9-21.2.pulp.el6.noarch
m2crypto-0.21.1.pulp-8.el6.x86_64
mod_wsgi-3.4-1.pulp.el6.x86_64
pulp-admin-client-2.3.1-1.el6.noarch
pulp-puppet-admin-extensions-2.3.1-1.el6.noarch
pulp-puppet-plugins-2.3.1-1.el6.noarch
pulp-rpm-admin-extensions-2.3.1-1.el6.noarch
pulp-selinux-2.3.1-1.el6.noarch
pulp-server-2.3.1-1.el6.noarch
python-isodate-0.5.0-1.pulp.el6.noarch
python-pulp-bindings-2.3.1-1.el6.noarch
python-pulp-client-lib-2.3.1-1.el6.noarch
python-pulp-common-2.3.1-1.el6.noarch
python-pulp-puppet-common-2.3.1-1.el6.noarch
python-pulp-rpm-common-2.3.1-1.el6.noarch
python-pulp-rpm-extension-2.3.1-1.el6.noarch
python-rhsm-1.8.0-1.pulp.el6.x86_64

python-2.6.6-52.el6.x86_64

Comment 4 Randy Barlow 2014-05-29 19:16:35 UTC

I have been unable to reproduce this issue. Does it happen consistently, or does it happen occasionally? Does it perhaps depend on which repository you are syncing? My entitlement certificate doesn't seem to allow me to access that mrg/demo repository.

I've successfully sync'd RHEL 5 and RHEL 6 server from the CDN, and I've not experienced this issue.

Comment 5 John Matthews 2014-05-30 12:38:12 UTC

Hi Randy,

The issue is constant and shows up on el6 and f20, I see it for any repo I attempt to sync.   Issue is that Akamai turned on support for "session tickets" right around Apirl 2.

Good news is Akamai is backing out the change, so we do not need to consider changes to nectar.

I'm unsure why you could not reproduce this, perhaps it is related to the entitlement certificate used.  I am using an employee subscription created from the customer portal, I generated a 'RHUI' certificate.  This is a X509 cert where all of the OIDs are embedded in the cert, they are not compressed like the newer form of X509 certs.  


To confirm, no work is required for this BZ.
The fix is on the CDN side and Akamai is implementing that now.

Note You need to log in before you can comment on or make changes to this bug.