Description of problem: If I have bound to a repo on a remote server which is f13 I get the following error on pulp client [root@localhost ~]# yum repolist https://preethi.usersys.redhat.com/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - "" Trying other mirror. repo id repo name status f12_x86_64_update f12-repo--arch=x86_64 enabled: 0 fedora Fedora 12 - x86_64 enabled: 0 fedora-pulp Pulp Testing Builds enabled: 0 updates Fedora 12 - x86_64 - Updates enabled: 0 repolist: 0 Here is my conversation with John for reference <preethi_> jmatthews, so I have a client & server. I bind the client to the repo on the server <preethi_> now when I try yum repolist I see this <preethi_> https://mypulpserver/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - "" <jmatthews> looks like httpd is complaing about how the client is negotiating the ssl connection <jmatthews> I'm not certain of the fix, but I would like to try something <preethi> ok <jmatthews> may I upgraded yum on your client? you seem to be running an older yum, I think a new one may fix it <preethi> sure <preethi> was on a call with prad <jmatthews> I found another fix <jmatthews> there is also a server option we can use <jmatthews> would you write up a bug on the behavior you saw, assign it to me, I will put more info in the bug and will ask the team for recommended fix. <jmatthews> seems like if we want to allow older clients we need to add a pararm to apache but it may be a security concern <preethi> I will do that. thanks john <jmatthews> to confirm, main issue is that older clients are not able to connect to pulp on f13, they receive an error: "SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled"
# yum --disablerepo=* --enablerepo="f12_x86_64_update" repolist Config time: 0.046 repo time: 0.000 Yum Version: 3.2.25 COMMAND: yum --disablerepo=* --enablerepo=f12_x86_64_update repolist Installroot: / https://preethi.usersys.redhat.com/pulp/repos/pub/fedora/linux/updates/12/x86_64/repodata/repomd.xml: [Errno 14] PYCURL ERROR 52 - "" Trying other mirror. Error: Cannot retrieve repository metadata (repomd.xml) for repository: f12_x86_64_update. Please verify its path and try again # tail -f /var/log/httpd/ssl_error_log [Fri Oct 29 10:49:16 2010] [error] [client 10.16.120.161] Re-negotiation request failed [Fri Oct 29 10:49:16 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled [Fri Oct 29 10:50:47 2010] [error] [client 10.16.120.161] Re-negotiation request failed [Fri Oct 29 10:50:48 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled [Fri Oct 29 11:08:15 2010] [error] [client 10.16.120.161] Re-negotiation request failed [Fri Oct 29 11:08:15 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled [Fri Oct 29 11:14:39 2010] [error] [client 10.16.120.161] Re-negotiation request failed [Fri Oct 29 11:14:39 2010] [error] SSL Library Error: 336068946 error:14080152:SSL routines:SSL3_ACCEPT:unsafe legacy renegotiation disabled I see two options. 1) Upgrade the client, client was using yum 3.2.25 on F12. I am using 3.2.27 on F12 without issue 2) Modify server to allow "insecure renegotiations". Add "SSLInsecureRenegotiation on" to /etc/httpd/conf.d/pulp.conf
http://git.fedorahosted.org/git/?p=pulp.git;a=commit;h=ee38801c2977b8025eebe87b72d84399bbb499ca
Decided to go with decision 2 so we would be flexible and allow more yum clients ability to connect to pulp and retrieve updates.
Fixed in 0.77.
Fixed in build 0.78.
verified [root@10 ~]# rpm -q pulp pulp-0.0.111-1.fc14.noarch cat /etc/httpd/conf.d/pulp.conf # allow older yum clients to connect, see bz 647828 SSLInsecureRenegotiation on
Closing with Community Release 15 pulp-0.0.223-4.