Bug 208852 - HTTPS proxy support does not work for the yum client
HTTPS proxy support does not work for the yum client
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: yum-rhn-plugin (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bryan Kearney
:
: 212403 (view as bug list)
Depends On: 210956 210963 210966 210975 211862
Blocks: 206941
  Show dependency treegraph
 
Reported: 2006-10-02 09:18 EDT by James Bowes
Modified: 2013-01-10 04:50 EST (History)
4 users (show)

See Also:
Fixed In Version: 5.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-11-13 10:44:07 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proxy CONNECT support (6.08 KB, patch)
2006-10-16 13:42 EDT, James Bowes
no flags Details | Diff

  None (edit)
Description James Bowes 2006-10-02 09:18:31 EDT
Python's default proxy support for HTTPS connects to a proxy just like it would
for http, and has the proxy GET from the https url. Thankfully, this fails, as
there are all kinds of security problems with this.

What we need is to have the client connect to the proxy and issue a CONNECT
command, which allows the client to directly connect to RHN via a tunnel through
the proxy.

I'm not sure at what level we would want to implement this.
Comment 1 James Bowes 2006-10-05 16:12:29 EDT
I've submitted a patch to M2Crypto that implements CONNECT support.

See bug 6975 in M2Crypto's bugzilla:
https://bugzilla.osafoundation.org/show_bug.cgi?id=6975
Comment 6 James Bowes 2006-10-16 13:42:42 EDT
Created attachment 138597 [details]
proxy CONNECT support

The patch against m2crypto
Comment 7 RHEL Product and Program Management 2006-10-17 10:49:26 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux release.  Product Management has requested further review
of this request by Red Hat Engineering.  This request is not yet committed for
inclusion in release.
Comment 9 Roman Lazarev 2006-10-19 09:58:19 EDT
This blocker corresponds to release criteria 19c5: yum connects through
authenticated/unauthenticated http proxy from client to RHN
Comment 10 Jay Turner 2006-10-19 10:06:57 EDT
QE ack for RHEL5B2.
Comment 14 James Bowes 2006-10-24 16:56:51 EDT
This should be fixed as of yum-rhn-plugin-0.1.9-3
Comment 15 James Bowes 2006-10-26 14:04:19 EDT
*** Bug 212403 has been marked as a duplicate of this bug. ***
Comment 16 Beth Nackashi 2006-10-29 16:15:36 EST
I tried to retest this with yum-rhn-plugin-0.2.0-1.el5 and m2crypto-0.16-6.el5
 on the client.  The squid log from cellar.rhndev (our http proxy) says:

1162154752.339    173 192.168.34.90 TCP_MISS/200 3500 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -
1162154752.455    110 192.168.34.90 TCP_MISS/200 3612 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -

which I guess is correct.

However, if I try to actually do any yumming through this http proxy, I get
errors depending on my configuration.

Configuration 1:  client -> RHN proxy -> non-authenticated http proxy -> RHN
============================================================================
http proxy log:

1162156041.443    216 192.168.32.35 TCP_MISS/200 2273 POST
http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml
1162156041.586    129 192.168.32.35 TCP_MISS/200 2405 POST
http://test07.rhndev.redhat.com/XMLRPC - DIRECT/192.168.36.23 text/xml
1162156042.147      0 192.168.32.35 TCP_DENIED/403 1370 CONNECT
test07.rhndev.redhat.com:80 - NONE/- text/html

RHN proxy log:
no entries

client error:
http://test07.rhndev.redhat.com/XMLRPC/GET-REQ/rhel-x86_64-server-5-beta/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error Proxy connection failed: 403>
Trying other mirror.
Error: Cannot open/read repomd.xml file for repository: rhel-x86_64-server-5-beta

** The above configuration works fine if I remove the http proxy and just use
the RHN proxy.


Configuration 2:  client -> non-authenticated http proxy -> RHN
===============================================================
http proxy log:

1162156145.684    177 192.168.34.90 TCP_MISS/200 3500 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -
1162156145.802    113 192.168.34.90 TCP_MISS/200 3612 CONNECT
xmlrpc.rhn.webqa.redhat.com:443 - DIRECT/192.168.6.124 -

client error:
https://xmlrpc.rhn.webqa.redhat.com/XMLRPC/GET-REQ/rhel-i386-server-5-beta/repodata/repomd.xml:
[Errno 4] IOError: <urlopen error The connect operation timed out>
Trying other mirror.
Error: Cannot open/read repomd.xml file for repository: rhel-i386-server-5-beta

So, I would say proxy support still does not work for the yum client,
authenticated or not.
Comment 18 James Bowes 2006-10-30 11:05:08 EST
What versions of yum and urlgrabber are you using? I was able to use a proxy
fine with the following rpms:

rhn-client-tools-0.2.7-1.el5
m2crypto-0.16-6.el5
python-urlgrabber-3.1.0-1
yum-3.0-5.3
yum-rhn-plugin-0.2.0-1.el5
Comment 19 Beth Nackashi 2006-10-31 12:12:15 EST
Both configurations work for x86_64 client with the following package profile:

rhn-client-tools-0.2.7-1.el5
m2crypto-0.16-6.el5
python-urlgrabber-3.1.0-1
yum-3.0-5.3
yum-rhn-plugin-0.2.0-1.el5
rhnlib-2.2.5-1.el5

For i386 client, same.
Comment 20 Beth Nackashi 2006-10-31 16:15:23 EST
Also works with authenticated http proxy.
Comment 21 Jay Turner 2006-11-13 10:44:07 EST
Closing as the fixes are included in the latest RHEL5 trees (20061111.0)

Note You need to log in before you can comment on or make changes to this bug.