Red Hat Bugzilla – Bug 87985
up2date fails with SSL handshake failure
Last modified: 2007-11-30 17:07:11 EST
Description of problem:
(This may be related to bug 69781, except in that case, the error message came
after a successful connection.)
My system is having problems connecting to RHN via up2date. I've tried the
applet, and I've tried up2date on the command line, both with and without the --
nox option. With the GUI version, I get an error window, and with the command
line version, I get a shorter version of the same message.
I signed up for the basic service two days ago, but still no luck connecting.
I built a second RH linux box, but no-go with that one either...but the first
time the error window popped up, at least there was another window behind it
asking me to install the GPG key.
When I try to register the second machine, the GUI freezes on the first window.
Registering via "up2date --register" or "up2date --nox --register" fails as
well. After about 10 minutes, the SSL error message pops up again.
I can connect via telnet to xmlrpc.rhn.redhat.com 443
The rhnsd service is running, set to run in levels 3, 4, and 5.
Date/Time are set appropriately via NTP.
Nameservers are set correctly in /etc/resolv.conf
URLs in up2date config file are correct.
This problem started 4 days ago, and up2date worked fine before then. Nothing
unusual was done/changed to the system or firewall.
The second system is a fresh install and has never had a successful connection
Reproducible always on both.
Some interesting things I noticed:
1) This started about the same time that 9.0 ISO was released for downloading.
2) tcpdump shows successful DNS query, then syn flag from me to RHN, then
syn/ack from RHN, then a series of unanswered acks from me to RHN, then about 3-
4 minutes later, a fin from RHN, then a rst.
3) what really is weird, and may be a good clue (I hope): I can't connect via
web browser to *any* of the redhat.com sites, http or https. Only RedHat sites.
Any other site is browsable. My non-linux computers can connect to
<server>.redhat.com just fine. The tcpdump for this shows the same pattern as
above. The nameserver pops right up with an IP for RedHat servers.
Version-Release number of selected component (if applicable):
kernel v. 2.4.18-27.8.0
openSSL v. 0.9.6b
up2date v. 3.0.7
Steps to Reproduce:
1. Run up2date in any form (GUI or command line)
2. Error occurs
Error: [('SSL routines', 'SSL23_WRITE', 'ssl handshake failure')]
/usr/sbin/stunnel -r xmlrpc.rhn.redhat.com:443 -cf -v 2 -A /usr/share/rhn/RHNS-
2003.04.03 20:48:28 LOG5[14407:16384]: Using 'xmlrpc.rhn.redhat.com.443' as
tcpwrapper service name
2003.04.03 20:48:28 LOG5[14407:16384]: stunnel 3.22 on i386-redhat-linux-gnu
PTHREAD+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001
It stopped after that...is it supposed to spew forth anything after this?
Created attachment 90901 [details]
Full Error message
As a result of your stunnel, you should have also seen:
2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=1, /C=US/ST=North
Carolina/L=Research Triangle Park/O=Red Hat, Inc./OU=Red Hat Network
Services/CN=RHNS Certificate Authority/Emailfirstname.lastname@example.org
2003.04.04 12:31:15 LOG5[12354:1024]: VERIFY OK: depth=0, /C=US/ST=North
Carolina/L=Raleigh/O=Red Hat, Inc./OU=Red Hat
Is there a firewall that blocks outgoing port 443 traffic? From the non-linux
machines can you use SSL? https://www.redhat.com
The firewall allows 443 traffic.
I can connect via https on the linux computers to non-redhat sites.
Other computers connect through just fine on https to redhat site.
telnet xmlrpc.rhn.redhat.com 443
You should see:
Connected to xmlrpc.rhn.redhat.com (188.8.131.52).
Escape character is '^]'.
Mihai, thanks for the troubleshooting tips. Your first one got me thinking. If
other computers can connect, then why not use one of them as a proxy?
So, I set up a different proxy machine, pointed the linux machines at it, and
now the SSL on the linux machines works just fine. Up2date is working fine now.
Diagnosis: Windows-based firewall is in a sorry state. Solution: Replace with
linux firewall & proxy.
I respectfully and apologetically withdraw this bug report.