Bug 600941 - yum times out after update of libcurl
yum times out after update of libcurl
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: curl (Show other bugs)
13
All Linux
low Severity high
: ---
: ---
Assigned To: Kamil Dudka
Fedora Extras Quality Assurance
:
: 600937 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-06 14:41 EDT by fedora-bugzilla
Modified: 2014-01-21 18:15 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-09-28 06:02:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
nsswitch.conf (1.68 KB, text/plain)
2010-06-06 14:41 EDT, fedora-bugzilla
no flags Details
resolv.conf (87 bytes, text/plain)
2010-06-06 14:42 EDT, fedora-bugzilla
no flags Details

  None (edit)
Description fedora-bugzilla 2010-06-06 14:41:00 EDT
Description of problem: 
Since doing a yum update a few days ago i can no longer use yum to update/install software.


Version-Release number of selected component (if applicable):
3.2.27


How reproducible:
Fully update system


Steps to Reproduce:
1. update system
2. try running yum update
3. wait for time outs
  
Actual results: 
yum times out when contacting any websites


Expected results: 
Yum to work like it used to.

Additional info:

I suspected this was related to a recent curl/libcurl update so i originally posted to this bug report. https://bugzilla.redhat.com/process_bug.cgi 

Basicly the updated curl was causing yum to timeout when trying to contract mirror servers for update/package info. Upgrading to the "testing" curl posted there did NOT fix the issue...but downgrading the curl version to a older version DID work...but each time i use yum now it wants to update curl... so today i updated everything and yum is broken again. So as of right now i can not maintain packages through yum.

The error i get when using yum is:
Error: Cannot retrieve repository metadata (repomd.xml) for repository: fedora. Please verify its path and try again

If i manually try to goto the link( https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64 ) i can and it prompts me to download the xml file with the list of mirrors in it. I can also use wget to download the xml file fine....but if i goto use urlgrabber with the same url..it times out.

Im using ipv4 and ipv6(via hurricane electric)

On that other bug report someone suggested i include a few files so i will attach them here
Comment 1 fedora-bugzilla 2010-06-06 14:41:45 EDT
Created attachment 421637 [details]
nsswitch.conf
Comment 2 fedora-bugzilla 2010-06-06 14:42:18 EDT
Created attachment 421638 [details]
resolv.conf
Comment 3 fedora-bugzilla 2010-06-06 14:44:19 EDT
Looks like i copied the wrong link for the original bug report i mentioned. heres is the correct link https://bugzilla.redhat.com/show_bug.cgi?id=599340
Comment 4 seth vidal 2010-06-07 10:44:39 EDT
reassigning to curl.
Comment 5 Kamil Dudka 2010-06-07 11:54:30 EDT
Thanks for filling the bug!  Could you please attach output of the following two commands:

$ curl -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'

$ getent ahosts mirrors.fedoraproject.org
Comment 6 fedora-bugzilla 2010-06-07 15:22:42 EDT
here are the requested commands.

curl -svo/dev/null https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
[1] 5654
mike@Zero:~$ * About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2010 19:21:52 GMT
< Server: Apache/2.2.3 (Red Hat)
< cache-control: no-cache
< Content-Length: 101
< AppTime: D=65305
< AppServer: app03.phx2.fedoraproject.org
< Content-Type: application/metalink+xml
< ProxyTime: D=400976
< ProxyServer: proxy02.fedoraproject.org
< 
{ [data not shown]
* Connection #0 to host mirrors.fedoraproject.org left intact
* Closing connection #0


getent ahosts mirrors.fedoraproject.org
2001:4178:2:1269::12 STREAM wildcard.fedoraproject.org
2001:4178:2:1269::12 DGRAM  
2001:4178:2:1269::12 RAW    
2610:28:200:1::fed0:2 STREAM 
2610:28:200:1::fed0:2 DGRAM  
2610:28:200:1::fed0:2 RAW    
213.175.193.206 STREAM 
213.175.193.206 DGRAM  
213.175.193.206 RAW    
66.35.62.166    STREAM 
66.35.62.166    DGRAM  
66.35.62.166    RAW    
80.239.156.215  STREAM 
80.239.156.215  DGRAM  
80.239.156.215  RAW    
85.236.55.6     STREAM 
85.236.55.6     DGRAM  
85.236.55.6     RAW    
140.211.169.197 STREAM 
140.211.169.197 DGRAM  
140.211.169.197 RAW    
152.46.7.222    STREAM 
152.46.7.222    DGRAM  
152.46.7.222    RAW    
209.132.181.16  STREAM 
209.132.181.16  DGRAM  
209.132.181.16  RAW
Comment 7 Kamil Dudka 2010-06-07 15:33:31 EDT
(In reply to comment #6)
> mike@Zero:~$ * About to connect() to mirrors.fedoraproject.org port 443 (#0)
> *   Trying 2001:4178:2:1269::12... connected
> * Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)

So you have working IPv6 network and curl is able to connect.  This looks like the problem is in urlgrabber instead.

> getent ahosts mirrors.fedoraproject.org
> 2001:4178:2:1269::12 STREAM wildcard.fedoraproject.org
> 2001:4178:2:1269::12 DGRAM
> 2001:4178:2:1269::12 RAW

As temporary solution I suggest you to prioritize the IPv4 addresses if they work well in urlgrabber.  Try to tweak /etc/gai.conf according to its man page.
Comment 8 seth vidal 2010-06-07 15:37:37 EDT
Kamil,
 How is the problem in urlgrabber? Where should I be looking if it is?

urlgrabber passes everything to pycurl.
Comment 9 fedora-bugzilla 2010-06-07 15:39:53 EDT
unfortunately i dont have a gia.conf and "man gia.conf" does not have a entry....so i assume its not installed. And yum is unable to install anything.....only way i could install things is to manually download the rpm files and install them by hand....which id prefer not to have to resort to.
Comment 10 Kamil Dudka 2010-06-07 15:50:33 EDT
(In reply to comment #8)
>  How is the problem in urlgrabber? Where should I be looking if it is?

Since bug 548269 comment #17 curl didn't use IPv6 on the way from yum any more.  As soon is I fixed #548269 it brought up IPv6 again and triggered this bug.

> urlgrabber passes everything to pycurl.    

I can't tell at the moment.  It forces me to set up a F-13 installation with working IPv6.  It can take some time.

(In reply to comment #9)
> unfortunately i dont have a gia.conf and "man gia.conf" does not have a

I said gai.conf, not gia.conf :-)
Comment 11 seth vidal 2010-06-07 15:55:20 EDT
(In reply to comment #10)
> (In reply to comment #8)
> >  How is the problem in urlgrabber? Where should I be looking if it is?
> 
> Since bug 548269 comment #17 curl didn't use IPv6 on the way from yum any more.
>  As soon is I fixed #548269 it brought up IPv6 again and triggered this bug.
> 

So - isn't it slightly more likely that that bug isn't fixed?


> > urlgrabber passes everything to pycurl.    
> 
> I can't tell at the moment.  It forces me to set up a F-13 installation with
> working IPv6.  It can take some time.

What are you running on? B/c rhel6b urlgrabber should be the same as f13.
Comment 12 fedora-bugzilla 2010-06-07 15:57:45 EDT
Ah. i typo'ed that on here. I dont have a gai.conf or man entry.
Comment 13 Kamil Dudka 2010-06-07 15:58:54 EDT
(In reply to comment #6)
> here are the requested commands.
> 
> curl -svo/dev/null
> https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
> [1] 5654

Btw. you forgot to quote the URL and the shell took the '&' as a special character and cut off end of the URL.  But I don't think it changes anything for us.

Could you please also provide some trace of the failure with urlgrabber?  Thanks in advance!
Comment 14 Kamil Dudka 2010-06-07 16:05:10 EDT
(In reply to comment #11)
> So - isn't it slightly more likely that that bug isn't fixed?

If you mean bug 548269 , it should be properly fixed since curl-7.20.1-1.fc13.  At least I don't see anything wrong here.  glibc offers 2001:4178:2:1269::12 as first alternative, curl just grabs it and connects successfully.
Comment 15 Kamil Dudka 2010-06-07 16:07:10 EDT
(In reply to comment #12)
> Ah. i typo'ed that on here. I dont have a gai.conf or man entry.    

That's not likely to happen:

$ rpm -qf /usr/share/man/man5/gai.conf.5.gz
man-pages-3.23-6.fc13.noarch
Comment 16 fedora-bugzilla 2010-06-07 16:08:31 EDT
urlgrabber is not outputting much info with verbose turned up. Not sure if this
will help at all but this what it outputs for me. If there are additional
switches/arguments that will help let me know and i will provide them.

urlgrabber --verbose=10 --progress
"https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
grabbing: https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
[Errno 12] Timeout on
https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64: (28, '')

also im rerunning the curl command i had forgot to put the url in
quotations....its currently stalled on the "> Accept: */*" line. Waiting for it
to time out or do something....will post output from it when it does.
Comment 17 fedora-bugzilla 2010-06-07 16:10:14 EDT
i dont seem to have that file.

rpm -qf /usr/share/man/man5/gai.conf.5.gz
error: file /usr/share/man/man5/gai.conf.5.gz: No such file or directory
Comment 18 seth vidal 2010-06-07 16:14:49 EDT
try running
export URLGRABBER_DEBUG=1

then running the urlgrabber command
Comment 19 Kamil Dudka 2010-06-07 16:16:04 EDT
(In reply to comment #16)
> also im rerunning the curl command i had forgot to put the url in
> quotations....its currently stalled on the "> Accept: */*" line. Waiting for it
> to time out or do something....will post output from it when it does.    

Evil typo then ... it indeed changes the behavior.  Could you please try to force IPv4/IPv6 to curl and compare the results?

$ curl -4 -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'

$ curl -6 -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'
Comment 20 Kamil Dudka 2010-06-07 16:20:38 EDT
(In reply to comment #17)
> i dont seem to have that file.
> 
> rpm -qf /usr/share/man/man5/gai.conf.5.gz
> error: file /usr/share/man/man5/gai.conf.5.gz: No such file or directory

Looks weird to me, but you can still read the online man page instead.

http://linux.die.net/man/5/gai.conf

You can then check by strace(1) if the file is used or not:

$ strace -fe trace=open curl -so/dev/null http://mirrors.fedoraproject.org
Comment 21 fedora-bugzilla 2010-06-07 16:22:40 EDT
forcing curl to use ipv4 seems to work:

curl -svo/dev/null -4 "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 152.46.7.222... connected
* Connected to mirrors.fedoraproject.org (152.46.7.222) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*
> 
< HTTP/1.1 200 OK
< Date: Mon, 07 Jun 2010 20:19:58 GMT
< Server: Apache/2.2.3 (Red Hat)
< cache-control: no-cache
< Content-Length: 19158
< AppTime: D=118055
< AppServer: app01.phx2.fedoraproject.org
< Content-Type: application/metalink+xml
< ProxyTime: D=261048
< ProxyServer: proxy4.fedoraproject.org
< 
{ [data not shown]
* Connection #0 to host mirrors.fedoraproject.org left intact
* Closing connection #0



but forcing ipv6 it times out or stalls on this part:

curl -svo/dev/null -6 "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*
>
Comment 22 fedora-bugzilla 2010-06-07 16:23:44 EDT
turning debug on for urlgrabber it also times out on the Accept: */* part:

urlgrabber --verbose=10 --progress "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
2010-06-07 16:19:00,289 urlgrabber version  = 3.9.1
2010-06-07 16:19:00,289 trans function "_"  = <function _ at 0x100b398>
grabbing: https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
2010-06-07 16:19:00,291 combined options: {
  'delegate'     : {
    'bandwidth'    : 0,
    'cache_openers': True,
    'checkfunc'    : None,
    'close_connection': 0,
    'copy_local'   : 0,
    'data'         : None,
    'delegate'     : None,
    'failure_callback': None,
    'ftp_headers'  : None,
    'http_headers' : None,
    'interrupt_callback': None,
    'keepalive'    : 1,
    'max_header_size': 2097152,
    'opener'       : None,
    'prefix'       : None,
    'progress_obj' : <urlgrabber.progress.TextMeter instance at 0x1072878>,
    'proxies'      : None,
    'quote'        : None,
    'range'        : None,
    'reget'        : None,
    'retry'        : None,
    'retrycodes'   : [-1, 2, 4, 5, 6, 7],
    'size'         : None,
    'ssl_ca_cert'  : None,
    'ssl_cert'     : None,
    'ssl_cert_type': 'PEM',
    'ssl_context'  : None,
    'ssl_key'      : None,
    'ssl_key_pass' : None,
    'ssl_key_type' : 'PEM',
    'ssl_verify_host': True,
    'ssl_verify_peer': True,
    'text'         : None,
    'throttle'     : 1.0,
    'timeout'      : 300,
    'urlparser'    : <urlgrabber.grabber.URLParser instance at 0x1072998>,
    'user_agent'   : 'urlgrabber/3.9.1',
    }
  }
2010-06-07 16:19:00,292 attempt 1/None: https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
2010-06-07 16:19:00,292 opening local file "metalink" with mode wb
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... * connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* warning: ignoring unsupported value (1) of ssl.verifyhost
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
User-Agent: urlgrabber/3.9.1
Host: mirrors.fedoraproject.org
Accept: */*
Comment 23 Kamil Dudka 2010-06-07 16:33:40 EDT
This looks crazy.  You're able to establish a IPv6/TCP connection on the port 443.  Then you're able to brought up the SSL layer.  But you're not able to get any data on top of that.  This means the server cert must have been already transferred to your box!  Any firewall in place?

Please give us also the trace of working wget on the same URL.  Thanks!
Comment 24 fedora-bugzilla 2010-06-07 16:37:50 EDT
Yea its using the default firewall...not sure if that even covers ipv6...but everything was working fine up until some updates a few days ago...so im not really sure a firewall is affecting this.

Here is the output of wget with debug turned on:

wget -d "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
DEBUG output created by Wget 1.12 on linux-gnu.

--2010-06-07 16:35:13--  https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64
Resolving mirrors.fedoraproject.org... 2001:4178:2:1269::12, 2610:28:200:1::fed0:2, 66.35.62.166, ...
Caching mirrors.fedoraproject.org => 2001:4178:2:1269::12 2610:28:200:1::fed0:2 66.35.62.166 80.239.156.215 85.236.55.6 140.211.169.197 152.46.7.222 209.132.181.16 213.175.193.206
Connecting to mirrors.fedoraproject.org|2001:4178:2:1269::12|:443... connected.
Created socket 3.
Releasing 0x0000000001d17120 (new refcount 1).
Initiating SSL handshake.
Handshake successful; connected socket 3 to SSL handle 0x0000000001d3da30
certificate:
  subject: /C=US/ST=North Carolina/L=Raleigh/O=Red Hat Inc/OU=Corporate Infrastructure Services/CN=*.fedoraproject.org
  issuer:  /C=US/O=Equifax/OU=Equifax Secure Certificate Authority
X509 certificate successfully verified and matches host mirrors.fedoraproject.org

---request begin---
GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.0
User-Agent: Wget/1.12 (linux-gnu)
Accept: */*
Host: mirrors.fedoraproject.org
Connection: Keep-Alive

---request end---
HTTP request sent, awaiting response... 
---response begin---
HTTP/1.1 200 OK
Date: Mon, 07 Jun 2010 20:35:13 GMT
Server: Apache/2.2.3 (Red Hat)
cache-control: no-cache
Content-Length: 19490
AppTime: D=151114
AppServer: app01.phx2.fedoraproject.org
Content-Type: application/metalink+xml
ProxyTime: D=489222
ProxyServer: proxy02.fedoraproject.org
Keep-Alive: timeout=15, max=500
Connection: Keep-Alive

---response end---
200 OK
Registered socket 3 for persistent reuse.
Length: 19490 (19K) [application/metalink+xml]
Saving to: “metalink?repo=fedora-13&arch=x86_64.1”

100%[===================================================================================================================================================================================================>] 19,490      57.5K/s   in 0.3s    

2010-06-07 16:35:14 (57.5 KB/s) - “metalink?repo=fedora-13&arch=x86_64.1” saved [19490/19490]
Comment 25 Kamil Dudka 2010-06-07 16:56:50 EDT
(In reply to comment #24)
> Yea its using the default firewall...not sure if that even covers ipv6...but
> everything was working fine up until some updates a few days ago...so im not
> really sure a firewall is affecting this.

Yes, because until the update a few days ago, IPv6 hadn't been used at all by yum.  Nevertheless it doesn't mean that the update itself is broken.  It just triggered a bug elsewhere.

This will probably force me to disable IPv6 in libcurl unless it's explicitly enabled.  That way it basically worked before the update.  Seth, what do you mean?

> Connecting to mirrors.fedoraproject.org|2001:4178:2:1269::12|:443... connected.
> Created socket 3.
> Releasing 0x0000000001d17120 (new refcount 1).
> Initiating SSL handshake.
> Handshake successful; connected socket 3 to SSL handle 0x0000000001d3da30

From the above, I see that wget uses IPv6 successfully.

> ---response begin---
> HTTP/1.1 200 OK
> Date: Mon, 07 Jun 2010 20:35:13 GMT
> Server: Apache/2.2.3 (Red Hat)
> cache-control: no-cache
> Content-Length: 19490
> AppTime: D=151114
> AppServer: app01.phx2.fedoraproject.org
> Content-Type: application/metalink+xml
> ProxyTime: D=489222
> ProxyServer: proxy02.fedoraproject.org
> Keep-Alive: timeout=15, max=500
> Connection: Keep-Alive
> 
> ---response end---
> 200 OK

I have no idea why this works with wget, but not with curl.  The only significant difference is the SSL layer.  wget uses OpenSSL while curl uses NSS.  Could you please try also different SSL versions if it makes any difference?

$ curl -6 --sslv2 -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'

$ curl -6 --sslv3 -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'

$ curl -6 --tlsv1 -svo/dev/null \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'
Comment 26 fedora-bugzilla 2010-06-07 17:08:55 EDT
Trying all three versions of ssl all timeout at the same spot the "Accept: */*" line. heres output from all three:

curl -svo/dev/null --tlsv1 -6 "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*


curl -svo/dev/null --sslv2 -6 "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using SSL_CK_RC4_128_WITH_MD5
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*


curl -svo/dev/null --sslv3 -6 "https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64"
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.6.2 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: mirrors.fedoraproject.org
> Accept: */*
Comment 27 Kamil Dudka 2010-06-07 17:20:26 EDT
Thanks for all the info!  One more try please:

$ curl -6 -svo/dev/null \
    --http1.0 \
    --user-agent 'Wget/1.12 (linux-gnu)' \
    --header 'Connection: Keep-Alive' \
    'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'
Comment 28 fedora-bugzilla 2010-06-07 17:25:11 EDT
Heres is the output from that....its been hung at this like for about 2-3 mins.

curl -6 -svo/dev/null --http1.0 --user-agent 'Wget/1.12 (linux-gnu)' --header 'Connection: Keep-Alive' 'https://mirrors.fedoraproject.org/metalink?repo=fedora-13&arch=x86_64'
* About to connect() to mirrors.fedoraproject.org port 443 (#0)
*   Trying 2001:4178:2:1269::12... connected
* Connected to mirrors.fedoraproject.org (2001:4178:2:1269::12) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA
* Server certificate:
* 	subject: CN=*.fedoraproject.org,OU=Corporate Infrastructure Services,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US
* 	start date: Jul 30 12:17:52 2008 GMT
* 	expire date: Jul 31 12:17:52 2010 GMT
* 	common name: *.fedoraproject.org
* 	issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
> GET /metalink?repo=fedora-13&arch=x86_64 HTTP/1.0
> User-Agent: Wget/1.12 (linux-gnu)
> Host: mirrors.fedoraproject.org
> Accept: */*
> Connection: Keep-Alive
Comment 29 Kamil Dudka 2010-06-07 17:54:43 EDT
Then I really don't know why it works with wget, but not with curl.  Reordering the priorities in /etc/gai.conf should solve the problem for you.  See bug 549892 for details.
Comment 30 fedora-bugzilla 2010-06-07 18:19:33 EDT
Adding these lines to the file /etc/gai.conf fixed the issue:

#    For sites which prefer IPv4 connections change the last line to
#
precedence ::ffff:0:0/96  100



This feels like a band aid for a deeper issue...but is at least allowing me to use yum again.
Comment 31 Kamil Dudka 2010-06-07 18:33:41 EDT
(In reply to comment #30)
> Adding these lines to the file /etc/gai.conf fixed the issue:
> 
> #    For sites which prefer IPv4 connections change the last line to
> #
> precedence ::ffff:0:0/96  100

Hopefully the above helps some people hitting the same problem.  So far I am not aware of anybody else.  It must be something specific to your configuration, or network.  Thanks for your help.  I'll leave the bug open for now to catch any other issues which are ralated to that update.
Comment 32 seth vidal 2010-06-23 08:06:19 EDT
*** Bug 600937 has been marked as a duplicate of this bug. ***
Comment 33 Kamil Dudka 2010-09-28 06:02:03 EDT
Nobody has subscribed here for quite some time, so it seems like users managed to update their network configuration.  Either way, this is _not_ a bug of libcurl, I am closing it now.

Note You need to log in before you can comment on or make changes to this bug.